This question already has answers here:
How to prevent your JavaScript code from being stolen, copied, and viewed? [closed]
(10 answers)
Closed 7 years ago.
I've developed web software that I would like to start leasing to companies.
It is a javascript program that works as module that only needs linked from their site to utilize.
What are the methods available to secure that the scripts only work for selected clients, paying customers?
I was thinking I could provide them with a code that would need to be verified in my database before printing out the javascript to their page, but after the first fetch they would gain access to the javascript which they could copy and thus never have the need to pay again..
Moving your business logic code to the server is the only reliable way.
Of course you could obfuscate your code and have it only work by fetching a token from your server, but that'll get cracked eventually and obfuscated code has a real performance cost.
Related
This question already has answers here:
How to change registry settings on a system through web browser
(4 answers)
Closed 5 years ago.
I am new to penetration testing. My requirement is to update registry values from browser using a client side programming language like javascript. Is it possible?
No, JavaScript can't read / write arbitrary files to the hard disk, copy them or call programs. It does not have direct access to the operating system.
This is done for the security of users, so that an attacker could not use JavaScript to obtain personal data or somehow damage the user's computer.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
I am writing a small software to extract text from website. but there is encrypted captcha available there. I want to decrypt that in my c# program and bypass that. here is encrypted captcha found on that page and corresponding plain captcha.
Encrypted captcha :
VFRZWVdLYlRpSUpXN1ZDdU1BcDZiK0lOWFdCTFNtM2cxZFRqb0dlR0txZnlmWHJ2U01OV0hFeW5FYm1YNUloR3JPdHhQaHBFT2tsbwpJbmlSbkxzNmdPblVGc1N0UmdnZDQxVUNHYlJseXFGRkE1d1o5ODNuSGc9PQ==
Output plain text captcha is: 8RTE9
Is there any way by which I can guess algorithm used in this encryption?
The simple answer to this is you can't.
Not using the method you want to use anyway.
The reason captcha exists is to prevent machines from performing automated login or just to verify that the user is actually a human.
You're not going to be able to decrypt a captcha on the client side. Chances are the captcha processing is done entirely on the server side.
The encryption keys aren't available to you and to 'guess' (brute force) the encryption key will likely take conventional hardware until after the heat death of the universe. That's if captcha even uses encryption. It might use hashing instead (which is more likely).
As for identifying the encryption/hashing algorithm used? If you can work out what captcha library is being used you MAY be able to figure out if it uses default values and use that as a baseline for creating a data set for machine learning. Again, these are big IFS and BUTS.
If it's an open source captcha library then it's possible you could use machine learning to circumvent the captcha by generating a training set for a machine learning algorithm using the library.
Of course ultimately you should tell your boss at the company you work at that you can't do this. Years of research and probably hundreds of thousands or millions of dollars have gone into creating this kind of technology to prevent people from being able to do exactly what you're suggesting you need to do.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
Please note; this is NOT a duplicate of one of the other similar questions here on SO, as I clearly explain in the fifth paragraph of this question. Furthermore, it is not opinion based. I'm merely asking for the pro's and cons of the two ways of doing things, and specifically why Stackoverflow does things the way it does them.
For my website I'm building a notification similar to how it is implemented here on Stackoverflow at the top; when you click the notifications icon, a dropdown is presented with the relevant notifications.
I currently wrote my system in a way that the api call returns a list of json objects containing the notifications, and I then construct the html in javascript in the browser. But when I look at the network calls made by SO, I see that the api call here simply returns the html which is then pasted into the dropdown.
I now wonder; why does SO do it like this? In my opinion it is way more efficient to just provide the data in json instead of all the html surrounding it.
I checked out another question on this topic here: which suggests a third option; some kind of templating system, but that is a bit too much for the simple html that I want to insert. So I don't really want to consider that option. One more question on this topic talks specifically about the performance difference, which I'm not too concerned about either (maintainability and simplicity is more important for me than those couple milliseconds difference).
So my question is; is it more advantageous (for whichever reason) to supply all the html or just the json on an api call, and why?
In an ideal world, and in order to have a clear separation of concerns, a web api should return a view agnostic response. That gives you a big flexibility in several fronts
You can use the same api to serve different client technologies
Even in case you don't use different client technologies you may want to change something related to presentation and, if you return view specific content, is possible you'll need to change your api logic to adapt the response.
I pefer JSON response because:
(+) It is reusable, you can display this notifications in dropdown on top bar and inside user profile -> one api service - many different controls/elements
(+) less data transfered via http
(-) More calculations client side, but these days, even mobile devices got multiple cores, so we are talking about few miliseconds
This is an opinion and so can not be an actual answer (question will be closed soon).
JSON, The reason is that any program of any significance will grow (they always do) and your conceptual knowledge of the state will atrophe (as it always does) That means you need to be clear in your program where the truth is.
This notion of truth works best when the truth lies in the data not the template or the presentation. I've learned through experience that any code should be driven by the data. And so sending JSON data to be manipulated seperates concerns lightens the complexity of the server code and allows more flexability on the client side to render any way you wish. And when you scratch your head in 6 months wondering why that bug is there you can follow the data and not guess where the logic could be.
Human Javascript by Henrik Joreteg explains this well.
This question already has answers here:
How can I obfuscate (protect) JavaScript? [closed]
(22 answers)
Closed 9 years ago.
I want to have two separate files in JavaScript with the same name , can i do it in javascript ?
I want to expose only part of the code to the user and not all the file
(Do we have any concept on javascript like the c# partial classes ?)
Thanks
Shimon
In the Web Browser, all of the JavaScript code is interpreted locally on the user's machine. So for the Web Browser to be able to interpreted correctly it needs all of the source code. So the answer to your main question is "no".
The closest solution to your problem is doing some sort of obfuscation of the source code. When you do that, it makes the source code very hard for the user to read the source code, but the Web Browser can still interpret it.
To answer the last question, all objects in JavaScript can be extended like partial classes in C#.
Nope - you can't fully hide JavaScript from your end users. The users browser needs to be able to parse the code and as such the user will have access to it as well.
What you can try to is use some form of code obfusication. This will still allow the user's browser to parse the code but will make it very difficult for a user to read and understand what's going on.
That said, it's not impossible for a user to un-obfusicate the code and see the logic behind it - it is just another layer of security but by no means fool proof.
This question already has answers here:
Why does Google prepend while(1); to their JSON responses?
(8 answers)
Closed 8 years ago.
Why is there a for(;;); preamble in facebooks JSON responses?
See this StackOverflow post: How to restrict JSON access?
In particular this comment within that thread: for/while loops in JSON responses
Basically this is used so that attackers can't get the URL and include it on their page and have JavaScript now put the variables on the page because as soon as the request has been serviced the browser will go into an infinite loop not allowing other JavaScrip access to said variables which would potentially allow attackers to use your browser to get information that is meant to stay private.
Basically this just runs an infinite loop when parsed. That way, the user's browser freezes (eventually providing a popup allowing the user to stop the script), and the data is never actually read. Hope this makes sense!