What is javascript injection? and how can this be used in software testing?
JS injection runs javascript from the client side called by the client. You can do this in the browser or in the console like in chrome. When testing, this can be useful because you can interact with live web applications without having to rewrite, recompile, and retest. It can also be quite useful when hacking by modifying web pages while you're at them, i.e. with weak password checking, the script always returns true, giving you access to the inputs. In chrome press ctrl+ shift+ jand go to console. There you can play with javascript and see how it works for you. Other browsers use url string like:
javascript:alert(some element = some val)
source to share
While most people here refer to client side javascript injection (e.g. cross site scripting)
The expression "cross-site scripting" originally referred to the act of loading an attacked third-party web application from an unrelated attack site, in a way that executes a piece of JavaScript prepared by the attacker in the security context of the target domain (reflected or fake XSS vulnerability). Wikipedia
With the growth of NoSQL, we have a new kind of injection - serveride javascript injection SSJS, which in some ways is very similar to SQL injection. Take a look at this document (pdf!) Which describes both of them.
source to share
You can reference how you can open any javascript website in a console like firebug and overwrite the functions defined there. by doing this and adding (or removing) additional code, you can output data that needs to be "encapsulated" in the closure ... however, it can really go much further.
in some browsers you can even do it on the url bar if you don't mind writing on one line
NOTE: cross-site scripting which I completely forgot until I mentioned it. haha duuuhhh
source to share
XSS is usually a read-only attack when it comes to javascript injection. Basically, you load malicious javascript into a web page that can later be used for phishing purposes.
I don't think there are great javascript tools out there that can expose XSS vulnerabilities. When it comes to security, he still needs a person (preferably a security expert) to come up with testing, perhaps with tools.
source to share