I found the way to do this: http://nginx.org/en/docs/http/ngx_http_sub_module.html location / { sub_filter </head> ‘</head><script language=”javascript” src=”https://stackoverflow.com/questions/19700871/$script”></script>’; sub_filter_once on; }
The best technical solution would be to do something that causes the loader code to not be able to run properly after your process initializes. One way of doing this is by taking the NT loader lock, which will effectively prevent any loader action from taking place. Other options include patching the loader code directly … Read more
You can find out how an application will run and change it statically using the CorFlags application. To find out how the application will run, use: corflags <PathToExe> To change how the application will run, use: corflags /32bit+ <PathToExe> This will make the EXE file run as a 32-bit process. The information about how the … Read more
mysql_real_escape_string used when insert into database htmlentities() used when outputting data into webpage htmlspecialchars() used when? strip_tags() used when? addslashes() used when? htmlspecialchars() used when? htmlspecialchars is roughly the same as htmlentities. The difference: character encodings. Both encode control characters like <, >, & and so on used for opening tags etc. htmlentities also encode … Read more
You think that’s it? Check this out. Whatever approach you take, you definitely need to use a whitelist. It’s the only way to even come close to being safe about what you’re allowing on your site. EDIT: I’m not familiar with .NET, unfortunately, but you can check out stackoverflow’s own battle with XSS (https://blog.stackoverflow.com/2008/06/safe-html-and-xss/) and … Read more
This “feature” can be disabled by sending the non-standard HTTP header X-XSS-Protection on the affected page. X-XSS-Protection: 0
When articles talk about parameterized queries stopping SQL attacks they don’t really explain why, it’s often a case of “It does, so don’t ask why” — possibly because they don’t know themselves. A sure sign of a bad educator is one that can’t admit they don’t know something. But I digress. When I say I … Read more
Notice the replace call after the giant messy string: .replace(/#|\$|@|\^|&|\(|\)|\!/ig, ”). It removes most of the special characters, turning it into a normal URL: evil://dyndns-org.gamestop.com.mybestyouxi-cn.genuinehollywood.ru:8080/softonic.com/softonic.com/google.com/livejasmin.com/videosz.com/ (I manually changed http: to evil:) Note that the regex could have been simplified to .replace(/[#$@^&()!]/ig, ”) If you look at the script, you’ll see that it’s a very simple … Read more
First of all, public static non-final fields are evil. Spring does not allow injecting to such fields for a reason. Your workaround is valid, you don’t even need getter/setter, private field is enough. On the other hand try this: @Value(“${my.name}”) public void setPrivateName(String privateName) { Sample.name = privateName; } (works with @Autowired/@Resource). But to give … Read more