Is there a way from JS , we can detect how many and which browsers are installed on user's machine.Any pointers would be helpful.
Thanks!
No, there is no way to examine what software is installed on a given user's machine via a browser page using standard web-safe techniques.
To do so would require the ability to look outside the browser's sandbox and this opens up all sorts of security vulnerabilities which is why it is not allowed in the browser.
The usual work-around is to request that the user download an executable program that is built for their platform (Mac, Windows, etc...), run it and have it report back to you. But, this is an onerous step that many users will not do or will fail to do and many systems will attempt to warn/block because of the potential security isssues. It cannot be done automatically without significant user intervention.
you can't, unless you inject in a program to run in the user's machine, and do a system search and send back the data, which is the very definition of virus and trojan.
Related
I do not want to allow Web Debuggers such as Charles Proxy, Fiddler, Wireshark, etc while using my Node JS application. I'm not fully sure what's the best way to do this. Is there a way to detect when a new program is launched in node, and then check if it's a web debugger?
I just don't want people intercepting requests sent from the node app.
I have tried getting all running processes on user's computer, and if any are a web debuggers, close my app, but this requires checking the running processes every couple seconds.
There is no effective way for you to do this. There are more debugging tools than you could imagine to check for, and there are ways that they could be hidden beyond your ability to detect (like running them on another computer, or running your application inside a virtual machine). Besides, your application is written in an interpreted language -- any user savvy enough to use a debugging tool could just as easily open up your application and remove the code that was supposed to disable their tools.
You haven't gone into much detail about why you're trying to do this, but the fact that you're asking is a sign that your application may be structured incorrectly. If your application is communicating with a server, any access controls (e.g. on what information the client has access to, or on what operations it can perform) should be implemented on the server -- the fact that the client can "see" what is going to and from the server should not compromise the security of your system.
That is impossible! Browser is a software, just like Charles Proxy, Fiddler, Wireshark, etc ...
So excited to asks experts on this platform. I don't know where my question fits but anyone familiar with ARM mbed or dev.ti.com?
Let me give you a clue. On these website they provide an online IDE (just like desktop version) on which you can build an "Embedded Software" and download, run and Debug on some target board like (TIVA C, STM32 etc.) connected to PC. As far as i know javascript on web page doesn't have any access to local machine. So how does it access computer ports and computer drivers etc?
WEB Experts please give me a clue like how browser is allowed to access local computer resources??
In most cases, you're correct - Javascript running in your browser does not have access to many of the resources needed for reprogramming and debugging a development board.
However, there are a few ways to work around this:
1. Build development boards that can work with the hardware APIs the browser already allows access to.
This usually involves using APIs in unexpected ways. The integrated debug firmware on all mbed boards emulates a USB disk drive. The user can download the firmware file from the mbed site and then copy it onto the disk drive to install the firmware on the development board.
There are also some more creative (mis)uses of hardware APIs. For example, this Chibitronics board relies on the browser sending the new firmware via audio output. I have also heard about - but cannot find a suitable link to - an example of repurposing the U2F protocol to do double duty as a firmware update mechanism.
Because this approach repurposes existing APIs, it is generally widely supported, but requires extra work on the device side to fit a square peg into a round hole.
2. Install a native application/extension that accesses hardware and allows the website to access the hardware through the extension.
This is the approach used by TI Cloud Tools, Arduino Create, and Codebender. Once a user has installed a companion application, that application allows the website to access anything that a normal IDE would be able to access.
In a sense, this approach is very similar to building a native application with a very cloud-centric UI.
3. Extend browsers to add new hardware APIs that can be used to program development boards.
The WebBluetooth and WebUSB draft standards add new APIs to allow Javascript to access BLE and USB devices directly, which can then be used to communicate directly with connected USB debug hardware or BLE bootloaders.
micro:bit is currently testing a beta program that uses WebUSB to directly program and communicate with micro:bit boards.
These APIs are only implemented in Chrome, so they are not a universal solution. Additionally, due to security restrictions and driver issues, not all existing hardware is compatible with WebUSB.
As far as i know javascript on web page doesn't have any access to local machine. So how does it access computer ports and computer drivers etc?
You can access your local machine through a server. For example to ask it for a certain file or to run some commands/code through an API you define.
How browser is allowed to access local computer resources?
The browser is a program on your machine. The programming language(s) in which the browser was built provides interfaces to communicate with your system on a low level.
It's worth mentioning that the browser and the web application it renders are not the same and do not communicate in the same way with your system.
In our web application, we using a Java applet to invoke MS.Word application by jacob jar e.g. Word to open, edit, and when it saves automatically it uploaded to the server.
Google Chrome will no longer support NPAPI, so soon we can not run our applet in Chrome anymore.
So, any suggestions for an alternative for the Java applet. We want to make the same experience for the user, just like before.
We have the same problem. With Webstart is not longer possible to do that communication. We are going to use Websockets between webstart application and browser. Our first attempt is to start a websockets server in the webstart and make browser connect to localhosts. If this is not possible for security limitations in the browsers then we are going to do it through the webserver, browser and webstart application connecting to the webserver and exchanging messages.
I can see 2 distinct possibilities.
Create a standalone application that "wraps" your web application using a technology such as electron. You can then do your browser to desktop integration as you like. This will require an install on the client.
Launch a webstart application (or it could really be any installation that happens on the client). It will need to start a webserver, or connect to a webserver and communicate via http.
I'm saddened by the loss of the Applet. It is a technology not easily replaced. And another methods seem somewhat like 'workarounds'. There is no easy, cross-browser way to break out of the browser sandbox and access the system.
For myself, the loss of the Applet has simply meant that automating some of these processes has become too difficult and it is just better to find an alternative way of achieving a similar end result.
A small note: If you are starting a local webserver, be mindful of security. It can be accessed by other processes on the system. Wouldn't it be fun to open word on anyone's system by sending a request to a port!
I am developing a content management system in asp.net where the users of the system will use it to submit their work as well as open their previous/unfinished work (writing) in Microsoft Word 2003. Now the problem is if I use C# System.Diagnostics library it works perfectly if the system is deployed on local server (i.e the PC on which I am developing) but I think if I deploy it on another PC and run it on a client PC using LAN connection it will launch word on PC acting as server instead of client although I haven't tried this but this is what I doubt, is there any way I can launch word on client machine using Javascript but without using ActiveX as it restrict the user to use IE only while our users choose their own browser ?
Thanks.
Not possible. Browser scripting cannot interact with the client machine, period, unless you have some plugins installed that would allow it.
Microsoft, and its ActiveX, are an exception, where they break the rules so they can improve integration with their operating system. Many people think it's another of Microsoft's blunders, since it is often viewed as a big security risk.
Nope, and for good reason too. Could you imagine if any website were allowed to run executables on client computers...?
Let's say I've got a website that works better if a client has installed and logged into a desktop application. I'd like to be able to do 2 things:
Alter the website if they haven't installed the app (to make it easy for them to find a link to the installer)
If they've installed the app on a couple of machines, determine which machine they are browsing from
I'd like something that works on Windows and OSX, on any of the major browsers. Linux is a bonus.
A few thoughts:
Websites can detect if you've got Flash installed. How does that work and could it be used for both of my goals?
Could I just let the client serve HTTP on localhost and do some javascript requests to fetch a local ID? I know google desktop search did something like this at one point. Is this a standard practice?
Thanks!
You can register a protocol from your desktop application (see this). This can be used, for example, to open your desktop application with arbitrary data from the website. You could then have your desktop app send a HTTP request to your webserver, telling it what machine you are on.
You can have a browser plugin (activex for IE or Netscape plugin for the rest of the browsers) that can communicate with the application. When the webpage is loaded, it can try to instantiate the plugin and if it succeeded, it can use it as a proxy to the application. If it fails, then either the app is not installed or the plugin was explictly disabled by the user. Either way, your website should degrade its functionality accordingly.
Update: Forgot to answer your questions:
Flash does it exactly this way. Flash is a browser plugin that is created by the web pages.
You can have a machine ID generated at the application/plugin install time and your plugin can pass that machine ID to the webpage when it is created.
On the topic of using local webserver:
I would stay away from having a local webserver, mainly because of security considerations. It takes quite a lot of work to make sure your local webserver is locked down sufficiently and there are no XSS vulnerabilities that other malicious websites can exploit to make it do stuff on their behalf.
Plus, having a webserver means that either it has to run as a system-wide process, or if it runs as the user, you can have the website interact with only one user's instance of the application, even though multiple users can be logged on and running it at the same time.
Google Desktop Search suffered from both the XSS security vulnerability (though they fixed it) and the limitation of only one user being able to use it on a machine (I don't know if they fixed this one yet, though chances are they did).
Websites can detect if you've got Flash installed.
Actually, I believe a browser can detect if you have the Flash plugin for the browser installed, and webpages can offer "installed" and "uninstalled" option that the browser can choose.
Otherwise, you are asking for a means, by putting some code in a webpage, of being able to analyze a user's home computer, and report what it learned to you website.
Can you say Major Security Hole?
If you can pick a development environment for the desktop app, then check out AIR from Adobe. It lets you develop desktop applications using either html/javascript, Flash, or Flex.
It has API calls you can use from a browser based flash app to see if the desktop based AIR app is installed, what version, etc. You can even launch it and pass parameters from the web app to the desktop app.
http://www.rogue-development.com/blog2/2008/03/interacting-with-an-air-app-from-a-browser-based-app/
Websites can detect if you've got Flash installed. How does that work and could it be used for both of my goals?
it's quite a bit simple, your browser tries to render some additional files, with some specific formats such as flash .swf and I the browser doesn't find installation, then will be start downloading, or you will get the option to download that program.
Flash also uses AC_RunActiveContent.js please take a look at this js, people usually put this on their webpages
if (AC_FL_RunContent == 0) {
alert("This page requires AC_RunActiveContent.js.");
} else {
AC_FL_RunContent( 'codebase','http://download.macromedia.com/pub/shockwave cabs/flash swflash.cab#version=8,0,0,0','width','981','height','635','id','build5','align','middle','src','build5','quality','high','bgcolor','#ffffff','name','build5','allowscriptaccess','sameDomain','allowfullscreen','false','pluginspage','http://www.macromedia.com/go/getflashplayer','movie','build5' ); //end AC code
}