Retrieving CSRF token from third party website form using XHR (JavaScript)

I know they say CSRF tokens are the most secure way to prevent CSRF attacks but what if someone uses XHR to retrieve the page containing the csrf token along with the form and then use that token for his attacks?

Why they don’t say “Referer” header is the most secure way to prevent CSRF attacks? Afterall nearly 99% of the currently in-use browsers will provide “Referer” header and the attacker cannot change it in anyway. (Yes, he can’t, unless the browser/OS itself is compromised)

Now that I protect my website using “referer” header, do I really need csrf tokens? All my important requests are using POST and not GET method.

How can I predict javascript Math.random method given integers?

I know this is possible because people have mentioned doing it. Given the XorShift128+ algorithm, how can I predict the next numbers given 15 integers generated through Math.floor(Math.random() * (max - min +1) + min). I have tried modifying this script https://github.com/TACIXAT/XorShift128Plus into this https://gist.github.com/jgc37/6456222408f17a874bd4bdd8e6923771, however my code doesn’t work and is stuck solving infinitely. Any help would be appreciated.

Security Report about “Insecure Content-Type Setting”: Does this apply to CSS and JavaScript as well?

I am working through a report of an automated vulnerability scanner. One Item is

Web Server Misconfiguration: Insecure Content-Type Setting ( 11359 )

It’s about not returning the character-set for a given HTML page like so, for example:

HTTP/1.1 200 OK ... Content-Type: text/html; charset=utf-8 ... 

the reported response in question only gives

HTTP/1.1 200 OK ... Content-Type: text/html ... 

Now I understand the implications, but what about CSS and especially JavaScript?

Is the charset of CSS and JavaScript resources strictly defined by a standard?

What if I have internationalized strings in JavaScript variables? Will those by definition have to be escaped? Or would this case require the declaration of a charset?

What can make input injected with JavaScript unrecognizable?

Often when I input text into a field with JavaScript (for the sake of automating form filling):

document.querySelector("#username").value = "USERNAME"; 

I encounter the following problem.

My problem

Inputted text isn’t recognized as is, so the form could not be submitted and I am asked to “fill in data in all fields” → unless I, say, delete the last (or first) character of the inputted text and then re-input that character manually myself.

A failed coping pattern

To cope with the aforementioned problem I have tried the following pattern which failed:

1) Manually mouselick on all fields and then execute in devtool console:

dispatchEvent(new Event("keydown")); dispatchEvent(new Event("keyup")); dispatchEvent(new Event("change")); 

true

2) Manually mouselick on all fields again;

But I still have the same problem in many different scenarios (different websites).


My question

What can make input injected with JavaScript unrecognizable?
What makes inputted text unrecognizable in some web form fields (or web forms) and how to tackle it?

Why according to my opinion this question is not about coding and does not belong to StackOverflow

I am not asking for a code solution; I am asking what are the information security concepts implemented by programmers of such “defended” forms and I assume that the list of options isn’t endless and isn’t long (I think I have already covered most options).

AJAX Call Via Vanilla JavaScript In WordPress Plugin Development

I ama newbie in WordPress Plugin development in which I have some HTML form on the main plugin page that will get the data from the admin who is logged in and a back page where I have some different functions in PHP like to get information from the database etc. To explain in detail, here is the code…

Main Plugin File:

<?php /* Plugin Name: WP Testing Plugin Plugin URI: http://www.wordpress.org/WP-Testing-Plugin Description: A Detailed Description About This Plugin. Author: Muhammad Hassan Version: 0.1 Author URI: http://www.wordpress.org */  /*____________WP Testing Plugin Admin/Script_____________*/ function wp_testingPlugin_admin() {     echo '         <form id="searchForm" onsubmit="return searchData(this)">             <input name="WhatToSearch" type="text" />             <input type="submit" value="Search"/>             <input type="reset" value="Reset"/>             <div id="showReturnData"></div>         </form>     ';     echo '         <form id="infoForm" onsubmit="return searchInfo(this)">             <input name="WhatToKnow" type="text" />             <input type="submit" value="Search"/>             <input type="reset" value="Reset"/>             <div id="showReturnInfo"></div>         </form>     ';      echo '         <script type="text/javascript">             function searchData(incomingForm) {                 // Confirmation To Add A Data                 var answer = confirm("Are You Sure Want To Search?");                 if (answer){                     // If User Click Ok Then Execute The Below Code                          var FD = new FormData(incomingForm); // Get FORM Element Object                     FD.append("Function", "DataFunction"); // Adding Extra Data In FORM Element Object To Hit Only This Function In Ajax Call File                     var ajx = new XMLHttpRequest();                     ajx.onreadystatechange = function () {                         if (ajx.readyState == 4 && ajx.status == 200) {                             document.getElementById("showReturnData").innerHTML = ajx.responseText;                                      }                     };                     ajx.open("POST", "'.plugin_dir_url( __FILE__ ).'my_functions.php", true);                     ajx.send(FD);                     document.getElementById("showReturnData").innerHTML = "<div class="error">ERROR: AJAX Did Not Respond.</div>";                 }                 return false; // For Not To Reload Page             }               function searchInfo(incomingForm) {                 // Confirmation To Add A Data                 var answer = confirm("Are You Sure Want To Search?");                 if (answer){                     // If User Click Ok Then Execute The Below Code                          var FD = new FormData(incomingForm); // Get FORM Element Object                     FD.append("Function", "InfoFunction"); // Adding Extra Data In FORM Element Object To Hit Only This Function In Ajax Call File                     var ajx = new XMLHttpRequest();                     ajx.onreadystatechange = function () {                         if (ajx.readyState == 4 && ajx.status == 200) {                             document.getElementById("showReturnData").innerHTML = ajx.responseText;                                      }                     };                     ajx.open("POST", "'.plugin_dir_url( __FILE__ ).'my_functions.php", true);                     ajx.send(FD);                     document.getElementById("showReturnInfo").innerHTML = "<div class="error">ERROR: AJAX Did Not Respond.</div>";                 }                 return false; // For Not To Reload Page             }          </script>     '; //if you want only logged in users to access this function use this hook add_action('wp_ajax_searchData', 'searchData'); add_action('wp_ajax_searchInfo', 'searchInfo'); //if you want none logged in users to access this function use this hook add_action('wp_ajax_nopriv_searchData', 'searchData'); add_action('wp_ajax_nopriv_searchInfo', 'searchInfo');   } /*__________________________________________________________________*/   /*____________WP Testing Plugin Option_____________*/ //Adding "WP Testing Plugin" Menu To WordPress -> Tools function wp_testingPlugin() {     //  add_management_page( $  page_title, $  menu_title, $  capability, $  menu_slug, $  function);                  Menu Under Tools     add_management_page("WP Testing Plugin By Hassan", "WP Testing Plugin", 'activate_plugins', "WP-Testing-Plugin", "wp_testingPlugin_admin"); } add_action('admin_menu', 'wp_testingPlugin'); /*__________________________________________________________________*/ ?> 

And this is my_functions.php file.

<?php /****************************************************************************/ //Garb The Function Parameter /****************************************************************************/ $  Function = $  _POST['Function'];   /****************************************************************************/ // Run Search Function /****************************************************************************/ if ($  Function == "DataFunction"){      if(!isset($  _POST['WhatToSearch'])){         $  WhatToSearch = "Nothing";     } else {         $  WhatToSearch = $  _POST['WhatToSearch'];     }      echo "<div class='success'>SUCCESS: Function Is Working Perfectly And Getting Data ".$  WhatToSearch.".</div>"; }  /****************************************************************************/ // Run Another Function /****************************************************************************/ if ($  Function == "InfoFunction"){      if(!isset($  _POST['WhatToKnow'])){         $  WhatToKnow = "Nothing";     } else {         $  WhatToKnow = $  _POST['WhatToKnow'];     }      echo "<div class='success'>SUCCESS: Function Is Working Perfectly And Getting Data ".$  WhatToKnow.".</div>"; }  ?> 

But my code is not working and not hitting my_functions.php file even. Whats the problem here? Need basic step only to work in this patteren. Currently, I am not sure I am even implementing this correctly as I never used WP AJAX before. So right now, my objective is just to get a basic example working. I appreciate any suggestions on how to accomplish this.

Thank you!

What kind of JavaScript protection is usually applied on password fields to prevent value injection? [closed]

There is a certain website with a certain login form which includes two fields; username and password.

I can successfully inject data with vanilla JavaScript to the first field:

document.querySelector("#username").value = "USERNAME"; 

But when I try to inject a password:

document.querySelector("#password").value = "PASSWORD"; 

I get an error:

VM1766:1 Uncaught TypeError: Cannot set property ‘value’ of null at :1:45

My problem

I double checked if the field exists as is and it is indeed existing in DOM;
I further ran a code like console.log(document.querySelector("#password")); and got lots of output which I purposely evade pasting here due to legal reasons.

My question

What kind of JavaScript protection is usually applied on password fields to prevent value injection?

Disable Cloudflare Rocket Loader for jQuery javascript and make it load first

I use Cloudflare Rocket Loader to speed up Javascript on my site.

The problem is, it loads certain scripts that need jQuery before loading jQuery itself making them not working correctly.

As soon as it is possible to disable Rocket Loader for specific script adding data-cfasync="false" to the <script src=""> I would like to know how can I add it to jQuery scripts as WordPress doesn’t simply load the jQuery via the script tag I guess.

At the moment my website loads jquery-migrate.min.js and jquery.js

PS there is a similar question but it’s almost 7yrs ago so, it may be outdated at this point Cloudflare's Rocket Loader + WordPress -> Ignore scripts?

Change Template view of proucts on click button with javascript woocommerce

I use woocommmerce and i have two template view for products (content-product.php) and (contentcarousel-product.php) . in (archive-product.php) per defaut display first template like this

<?php wc_get_template_part( 'content', 'product' ); ?> 

I created two button like this with onclick event with javascript

<button onclick="Viewone()"> view 1</button> <button onclick="Viewtwo()"> view 2</button> 

I want when click button 1 display first template per defaut and when click button 2 display second template.

How i can do this with javascript and php

How to save javascript high score to usermeta

I built a simple addition math game for my son using javascript so he can practice his math facts. Basically, he has 90 seconds to answer as many questions correctly as possible.

I want to be able to save and track his high scores using the usermeta table, but I am having trouble figuring it out. I know that I need to use this function:

update_user_meta( get_current_user_id(), 'high_score', $  meta_value); 

but I cannot determine how to get my “var highScore” from Javascript into the PHP $ meta_value. I also need to figure out a hook or something that will trigger the function once the game is over.