I was debugging a script injection issue the other day using some sample code with an alert in it. The alert was popping out meaning the code got executed leaving open the possibility for a hacker to put there some nasty malicious code. I knew my alert was being executed but didn’t know how. So I tried something that worked perfectly for this problem, replaced the native alert function with my own one.

All I had to do in Chrome was open the javascript console and type:

alert = function(msg){ console.log(msg); console.trace(); };

The next time the malicious code was executed, instead of the regular alert I got something similar to this:

alert("testing")

testing

console.trace()

alert:2

(anonymous function):2

InjectedScript._evaluateOn:312

InjectedScript._evaluateAndWrap:294

InjectedScript.evaluate:288

undefined

In my case I was able to see what was going on and find the offending function.

This was tested on Firebug in Firefox and it works as.