Is it possible to not allow people view one of my website's JS file?
Demo:
http://js.maxmind.com/js/geoip.js
If you copy the URl and paste it in the browser, it will say "Unauthorized". But if you put it inside the HTML, it will do it's work.
Can I do that with my code.js file?
JavaScript is an interpreted computer programming language. It's not being compiled and it runs on the client's browser/computer, therefore, the client must see the script in order to execute it. That's why you cannot hide the code.
You can define in your server folders as restricted and that means the user can not access them directly, but when the browser loads the page it have to load all the components such as images, css files, js files etc...
If the browser can load them, it means the user can see them as well.
For example, you can also define that users are not authorized to see any .jpg files but they can easily save any image. Actually the browsers usually saves the images anyway on your local computer and cache them, so next time you load the page, it won't have to download files that weren't changed again.
As others already mentioned, trying to hide a js code is very bad practice and you need to avoid it. If you want the make the life hard for other developers that wants to copy your code you can use this site to obfuscate your js code, but remmeber, it only makes it harder to read by humans, it does not provide you any security.
First, let me explain loud and clear: that is the worst security I can imagine for what it is trying to do. It is just shouting, "HEY NOBODY LOOK AT THIS INSECURE FILE."
Your question has been viewed 41 times so far. That means up to 41 people are wondering what that mysterious does and probably half of them can find easily out. In short, don't do this.
There is no client side security. I refer you to this answer, for instance.
As for how to implement the situation, as noted in comment it's probably done by checking the referrer header. To find out fully check the request headers in the dev tools in your browser and compare to the request headers used by curl (e.g. by using a post bin).
It is not possible to not allow people to view one of your website's JS files.
To be more precise, if someone can execute your JS file, they can view it.
Although you cannot prevent a user from being able to look at your javascript you can make it extremely difficult for them to understand what they are looking at through obfuscation or minification, for the latter there are many services that will do this for you; look at this for example. As for obfuscation I don't know of any way to do it automatically but it would be a similar approach.
If you have information in the javascript that you truly cannot allow a user to see, then I would suggest moving it into the server side code and only pass to the javascript the absolute minimum. As I am not sure what you are using on the server side I cannot give you a specific example; however in the past when using MVC I achieved this by passing the values I needed either to a hidden input ( if the value needed to be posted back with a form) or through jQuery.Data
Related
First of all, I've tried to look for answers in different questions and forums, but I've struggled to find the correct search keywords, so I haven't found anything relevant.
Basically, I've taken on developing a simple implementation of a live chat widget for websites, similar to olark, liveChat, etc. Since, I will be using Socket.IO, I am looking for an easy way to provide the javascript code to a potential client (which might very well not be tech savvy). So the idea is to have just a simple <script> tag which either dynamically creates another script tag with the source pointing to my server, or just a script tag with the correct source.
The problem I have is regarding the server response to that request. In the test implementation, I am adding a script tag which makes a call to the server and the server responds with the javascript code in a string, which I find a very crude way to do it. The reason why I can't just serve a simple javascript file is, because it needs to be personalized, so I can keep track of where the client is connecting from in order to get the to the proper "agent" (manager of website). I could probably create separate files for each user, but I am not sure how maintainable and efficient that would be.
So my question is, how would I serve this personalized javascript code in an efficient and secure way? I am using Laravel as a backend, if that makes any difference.
In the test implementation, I am adding a script tag which makes a call to the server and the server responds with the javascript code in a string, which I find a very crude way to do it.
If it works for your needs, this is a good solution.
If it feels crude, there are a few things which can help keep it clean. Keep your javascript in a separate file and use file_get_contents to read from that file. Where you need to use placeholders to personalize this, you can add %s and use sprintf to pop in the personalizations.
There are a few pretty large ad networks out there which are serving up javascript in just this fashion so I do not believe there is anything inherently wrong with this method.
As far as security goes, I'm not sure what you can do besides making sure everything is served via HTTPS. I'd hope that there is no need to pass sensitive information via get variables.
You can transmit just the javascript without a <script> tag to the client and then use eval() to run the code there.
I wanna know, is there a way to compress javascript with a method that cannot be easily uncompressed by another?
I have used some tools like jscompress and other products. They're nice and useful, but they provide methods to uncompress/decode script too. The problem is other programmer or maybe hacker, can easily uncompress my script, the impact is my js ajax link, variable can be seen by the hacker. You know that what happen if they found our link. Maybe post direct value via ajax etc.
There is not a way to do this in client side javascript, it is inherently insecure. You should be using a call on your server to hide your API key.
FAQs from the w3:
http://www.w3.org/Security/faq/wwwsf2.html
If by your question you mean that you do not want the variables and Ajax links in your script to even be accessed by others ever, then you are talking about encryption, not just compression.
If the code was truly encrypted so that the Ajax links were not recoverable, the browser could not decrypt and therefore not even execute the script.
Obfuscators will make your code fairly illegible, but you are not going to be able to hide destination URLs in Ajax calls from hackers. All one needs to do is look at the browser's developer tools and watch the network calls.
It's important to design your application with the assumption that users and hackers are able to see all the JavaScript. If you can keep it secure under these conditions, that's ideal.
So if the question is just about making your code hard to read, obfuscate. But the kind of security you seem to be asking about needs to be done server side.
I've developed a system that polls a server and injects the response JavaScript into the clients web page. I want to obfuscate the JavaScript the server serves, but I also want to know if there is a tool that dynamically obfuscates it according to a token or key. Meaning every new session gets unique scripts that will only work with that client during that session.
If this doesn't already exist, could someone maybe provide me with a link on how to write my own JavaScript obfuscation tool.
Chris, I encourage you to look at this a different way.
First of all, your problem seems to be that you want to display something on your web page, but you want to disguise the methodology that it got there. The absolute best way to do this is to execute all of your code on the server.
This frees you up so that you don't have to obfuscate anything. Any Javascript that you execute would just be working on raw data anyway, and wouldn't be anything specialized that a hacker could do anything with.
A hacker could not see your business processes if all of the work was done on the server.
So, you can make an Ajax call out to the server, which executes the code, and returns HTML or JSON data that your app can then use to place on the webpage. The hacker has nothing to go on, and you don't have to build obfuscation into anything.
Heres a page that encrypt javascript acording to a key
http://scriptasylum.com/tutorials/encode-decode.html
Something you can do, to hide your javascript, is to send it this way:
<?php
header("Refresh: 0;javascript:document.writeln('');");
?>
your js code here
I have not tried it,but I think It will create a empty page wen viewed by a browser.
In my .NET web applications I usually have a Scripts folder that contains all of my JavaScript files - jQuery mostly these days, with the occasional JavaScript library of some sort or another.
I'm running vulnerability scans against one of my websites through a scanner called Nexpose, and it informed me that the Scripts folder is open to the world - meaning unauthenticated users can download the JavaScript files contained in the folder and that this is a critical vulnerability. According to Nexpose, the Scripts folder should be restricted to only allow authenticated users to access it. Which leads me to my first question.
How do I restrict the Scripts folder to only authenticated users? I tried placing a web.config file into the Scripts folder and denying access to all unauthenticated users that way, but it didn't work. I was able to determine this myself but going to my website's login page, but not logging in, and then typing https://mywebsite/scripts/menubar.js and sure enough it allowed me to download the menubar.js file.
Second question - Why is this considered a vulnerability? I've tried to reason my way through the possibilities here, but I've failed to come up with much at all. Is it a vulnerability simply because Joe the l33t h4x0r could figure out the various libraries that I'm using and then maybe use known exploits against them?
Update
Overwhelmingly the answer seems to be that in no way should a vulnerability exist just because a .js file can be opened and read on the client's browser. The only vulnerability that might exist would be if the developer were using the .js file in an insecure fashion of some sort (which I'm not).
Logically, you wouldn't want to actually disallow access to the actual files because then you couldn't use them in your webpage. The webserver makes no distinction between a browser requesting a file as part of the process of rendering a webpage versus someone just manually downloading the file.
As a result, the answer to your first question is: you can't and wouldn't want to. If you don't want users to access take it out of the web folder. If it's required to render your site, then you want anyone to have access to it so your site can render properly.
As to why it's considered a vulnerabiliy, who's saying it is? I can go pull any JavaScript Facebook uses right now. Or, more to the point, I could go to Bank of America or Chase's website and start looking through their JavaScript. If I had an account, I could even take a look at the JavaScript used once the user is logged in.
The only thing that you might need to worry about is the same thing you always need to worry about: exposing details that shouldn't be exposed. I'm not sure why you would, but it obviously wouldn't be a good idea to put your database password in a JavaScript file, for example. Other than things like that, there's nothing to worry about.
In most cases it's not a vulnerability. Consider all of the massive public sites with anonymous traffic and/or where it's very easy to become an authenticated user (Google, eBay, Amazon, etc.) These sites also have some of the most elaborate scripts.
The more subtle thing to watch out for are other files which you DO want protected. For example, if users must login to your site and purchase a document, video, image, etc. before viewing it, it certainly should not be in a publicly accessible folder.
Yes. You should keep most of your processing to be done server-side, as most (if not all) client-side scripts can be edited, and such. Most sites use Javascript, so simply using it isn't dangerous, you just have to be careful about what you do with it.
Also, to answer your first question, don't protect them if unauthenticated users need them too.
Sounds like some security suite has an itchy trigger finger. The only two problems I could see is that you could end up loaning your server out as a CDN if someone chooses to point to your jQuery or your -insert library name here- OR (now this is a real security risk) if you are also serving any kind of dynamic .js files out of there that could pose a potential threat. The only other thing I can think of is if you have your "custom" app js in the mix with all the libraries someone could potentially discover your endpoints (web services and such) and try and see if they're secure... but that's it! nothing more... (unless you did something really dumb like hard code a password or something in there... lol)
So the attack isn't that people can edit the script the attack is getting the web server to arbitrarily write to a directory. What you need to do is make sure they are read-only files. chmod 400 or windows read. In terms of Defense in Depth (DiD) you want to make sure the web server is a non-privileged user that cannot log into the system. Further what needs to occur is that you are doing all data sanitization on the server, irrespective of what you are doing on client side, because you do not control the client side. Typically this involves making sure that you cleanse all data coming from the web as well as the database before it gets served. One of my favorite things to do is insert arbitrary javascript into the database and watch it do things in the UI because the development team assumed everything would be fine since they already cleaned it once.
I can provide more details around securing the system if it is warranted.
I got a webpage that calls oracle and then does some processing and then a lot of javascript.
The problem is that all of this make it slow for the user. I have to use internet explorer 6 so the javascript takes very long to load, around 15 seconds.
How can i make my server do all of this every minute for example and save the page so if a user requests it it would server them that page that is all ready calculated etc
im using tomcat server my webpage is mainly javascript and html
edit:
By the way I can not rewrite my webpage, it would have to remain as it is
I'm looking for something that would give the user a snapshot of the webpage that the server loaded
YSlow recommendations would tell you that you should put all your CSS in the head of your page and all JavaScript at the bottom, just before the closing body tag. This will allow the page to fully load the DOM and render it.
You should also minify and compress your JavaScript to reduce download size.
To do that, you'd need to have your server build up the DOM, run the JavaScript in an environment that looks (enough) like web browser, and then serialize the result as HTML.
There have been various attempts to do that, Jaxer is one of them (it was originally a product from Aptana, now an Apache project). Another related answer here on SO pointed to the jsdom project, which is a DOM implementation in JavaScript (video here).
Re
By the way I can not rewrite my webpage, it would have to remain as it is
That's very unlikely to be successful. There is bound to be some modification involved. At the very least, you're going to have to tell your server-side framework what parts it should process and what parts should be left to the client (e.g., user-interaction code).
Edit:
You might also look for "website thumbnail" services like shrinktheweb.com and similar. Their "pro" account allows full-size thumbnails (what I don't know is whether it's an image or HTML). But I'm not specifically suggesting them, just a line you might pursue. If you can find a project that does thumbnails, you may be able to adapt it to do what you want.
But again, take a look at Jaxer, you may find that it does what you need or very similar (and it's open-source, so you can modify it or extract the bits you want).
"How can i make my server do all of this every minute for example"
If you are asking how you can make your database server 'pre-run' a query, then look into materialized views.
If the Oracle query is responsible for (for example) 10 seconds of the delay there may be other things you can do to speed it up, but we'd need a lot more information on what the query does