Reputation: 3251
Is It Possible To Detect Injected Javascript Via Console?
Say I was, or somebody was to inject custom Javascript on my website via the console. To say fire the Facebook pixel via Javascript. Or to simulate real mouse movement via Javascript.
Is it possible for the website to detect this has been done?
Upvotes: 2
Views: 798
Answers (2)
Reputation: 1135
Yes, it is generally possible, but depends on what you execute.
According to developers.facebook.com/docs/meta-pixel/get-started (as July 2024), the a pixel can be embedded with the following html
<!-- Facebook Pixel Code -->
<script>
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window, document,'script',
'https://connect.facebook.net/en_US/fbevents.js');
fbq('init', '{your-pixel-id-goes-here}');
fbq('track', 'PageView');
</script>
<noscript>
<img height="1" width="1" style="display:none"
src="https://www.facebook.com/tr?id={your-pixel-id-goes-here}&ev=PageView&noscript=1"/>
</noscript>
<!-- End Facebook Pixel Code -->
which adds a script from the server (https://connect.facebook.net/en_US/fbevents.js) directly to your top page.
That script could potentially hook for example the document.documentElement.outerHTML property and detect access on it.
For example with the following code:
const proxy = new Proxy(document.documentElement, {
get(target, prop, receiver) {
if(prop === "outerHTML"){
console.log('detected access on "'+prop+'"', receiver)
return "mocked value:)"
}
else{return Reflect.get(...arguments)}
},
});
Object.defineProperty(document, "documentElement", {
value: proxy
})
a injected script like
console.log(document.documentElement.outerHTML)
could be detected.
In browser automation, this can be prevented by injecting to a isolated World JavaScript execution context
An example for that would be github.com/kaliiiiiiiiii/Selenium-Driverless#isolated-execution-context
Disclaimer: I'm the developer of Selenium-Driverless
Upvotes: 0
Reputation: 117
No. The developer's console is entirely temporary. Now let's say that you created a function that is run off of a server, let's say a function that sends a message to other people on the same server, (ie. Instant Messaging). If you send a message through a server, then it can be seen, but that is only if you send the message through a server. But if you just type a function into the console that returns the words, "Hello, World" that can not be seen by anyone. So, in conclusion, if you use a function hooked up to a server, that sends data back to the server, then yes, it can be seen, but like the example you gave, the Facebook Pixel, that is sent from Facebook, but implement it in your site; it is run from the server from Facebook, not your website.
Upvotes: 0
Related Questions
- Detect injection of javascript events on page
- Detecting when a user executes JavaScript in the browser
- How to know if a JavaScript (script) was loaded?
- Javascript Injected in browser
- Detect Injected Content in Website
- Is it possible in JS to detect whether any JS was run from the browser's console?
- How to detect if a script is executed directly from the node console
- Preventing Javascript Injection(not sure if it is js injection)
- How to inspect if javascript/jquery is loaded in the DOM?
- The way to check the javascript injections