Ruby on Rails Mysterious Javascript Alert box with cookie information

Question

I have a problem in a Ruby on Rails app that I am working on. I have been working on the app for months and I have never had this problem before and after a bit of Google searches I think that somehow someone is trying to steal cookies with javascript.

When I click on the link I get an alert box titled "the page at www.napkinboard.com says:" and contains the following message:

__utmz=217223433.1270652009.59.3.utmcsr=localhost:3000|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=217223433.2133018314.1265749085.1271097412.1271125626.63; __utmc=217223433; __utmb=217223433.11.10.1271125626

I checked the database and all data associated with this 'food_item' looks completely normal and does not contain any javascript at all.

How did this suddenly happen and how can I stop it? I appreciate any help. Thanks.

EDIT: Can't believe I forgot the URL: http://www.napkinboard.com/food_items/413

edited Apr 13 at 3:00

asked Apr 13 at 2:40

conorgil
112

0% accept rate

What link did you click on? – SLaks Apr 13 at 2:43

dhoss · Answer 1 · 2010-04-13 02:46:34Z

up vote 0 down vote

load up firefox and firebug, and see what the javascript and network stack trace show. That should give you an idea of where it's coming from, etc.

answered Apr 13 at 2:46

dhoss
756

SLaks · Answer 2 · 2010-04-13 02:44:07Z

up vote 1 down vote

It sounds like you've found a link that exploits an XSS vulnerability using the query string.

Make sure to properly escape all of your output.

answered Apr 13 at 2:44

SLaks
102k9116226

	I just edited the post to include the url that I ridiculously forgot to include: napkinboard.com/food_items/413. I definitely need to make sure to escape all of my output, but there is no query string in this URL right? So I don't know if that can be the issue here. I have clicked on this link before and the alert box did not arise. – conorgil Apr 13 at 3:03
	I have discovered that a user entered their comment as "<script>alert(document.cookie);</script>" so you are absolutely correct. I print comments with: <%=h @napkin.comment %> so shouldn't the output be properly escaped? – conorgil Apr 13 at 4:04

Ruby on Rails Mysterious Javascript Alert box with cookie information

2 Answers

Your Answer

Not the answer you're looking for? Browse other questions tagged javascript ruby-on-rails attack javascript-alert or ask your own question.

Hello World!

Ruby on Rails Mysterious Javascript Alert box with cookie information

2 Answers

Your Answer

Not the answer you're looking for? Browse other questions tagged javascript ruby-on-rails attack javascript-alert or ask your own question.

Hello World!

Related