I was wondering how I can get data from the server side that is being passed to my page via encrypted url using java script? Let say I have this in visual basic in my code behind,
lnkToAPage.NavigateUrl = RelativePagePaths.ThePage + "?"+ QueryStringModule.Encrypt("PageMode=" + pageMode ...
I need to extract a piece of that data, which I get from an object on the server, to do something with it on the client side using javascript. I understand I can get the data from the url like it says here
but the data in the url is encrypted so the data I get from there is useless, I can send it without the encryption but that exposes to much. So is there a way I can use ajax to retrieve that data or object, or maybe there's another way? Or is it not possible at all?
I am not aware of what encryption protocol you are using, but if you get an encrypted version of your attributes, you need to decrypt it using the same protocol with javascript.
On the web, it is common practice (and a good one) to encrypt the connection using HTTPS. it protects anyone from seeing the parameters as explained here.
This does not seem to be an ajax related problem (from what I understood of the question).
Related
I want to know how to get all the data passed on the WebSocket
I alredy tryied using FireFox to see but all the data are strange unicode text and symbols (game link is https://sploop.io) is there an way to maybe decrypt it?
I also tryied using
var data= new WebSocket("usa1.sploop.io/ws")
data.onmessage = (sa)=>{console.log(sa)}
And after some actions in the game the code logged an object that didnt have any of the data...
You're already getting all the data the WebSocket is receiving. The problem is that the data is "encoded" binary data using the game's protocol. The scripts in Sploop.io know how to decode this data (and encode new data to be sent back), but since you don't "speak" that protocol, it looks like gibberish to you.
Problem aside, you can have fun and all, but trying to cheat or so isn't nice towards other players.
I have a servlet which I call the following:
request.getSession().setAttribute("name", nameObj);
Can I access it from the following page using
console.log('IH HERE' + sessionStorage.getItem('name') );
It doesn't seem to work. Either js or jquery solution would be nice.
Thanks,
Scott
This won't work, for two reasons:
sessionStorage is client-side only; it's not sent to the server via HTTP requests and the server can't write it without talking to the client.
request.getSession() is server-side only, with a session ID stored in a cookie but nothing else stored in a client-accessible format.
You'll have to use cookies if you want to achieve this effect (read / write by both) or loop over the session and provide it all in the page somewhere (read only by client).
Someone using firebug or chrome console could intercept the submitted form data and then switch some of the values, eg.
Sender's ID . I was wondering if I can make data sent less human readable so the attacker won't want to deal with it.
I saw something like this:
$.ajax({
type: "POST",
url: 'http://www.example.com/widget_category.php',
data: "p=eyJUcmF6ZW5pUG9qYW0iOiIiLCJJREdydXBhIjoiMzA3IiwiSURQb2RHcnVwYSI6MzA3LCJQcm9kYXZhYyI6IiIsIk9rcnV6aSI6W10sIk9wc3RpbmUiOltdLCJDZW5hT2QiOi0xLCJDZW5hRG8iOi0xLCJTdGFuamFQcmVkbWV0YSI6W10sIk5hY2luaVBsYWNhbmphIjpbXSwiRmlsdGVyIjpbXX0=",
dataType:'html',
success: function(res){
$('#limwidget').empty().append(res);
}
});
Edit:
I see this question was accepted bad. I just want to point out that i am validating all data received on the server side and there should be no question about that, but I just wanted to hide the real sensitive data from database ( and maybe make them also timestamp signed in some manner and different from user to user).
I realize that maybe this problem should be considered on server-side(php), that all sensitive data should be swaped on server-side instead of client-side, so we can avoid security by obscurity.
Thanks for clarifying
One more edit:
I see now that output from atob function from the example given
eyJUcmF6ZW5pUG9qYW0iOiIiLCJJREdydXBhIjoiMzA3IiwiSURQb2RHcnVwYSI6MzA3LCJQcm9kYXZhYyI6IiIsIk9rcnV6aSI6W10sIk9wc3RpbmUiOltdLCJDZW5hT2QiOi0xLCJDZW5hRG8iOi0xLCJTdGFuamFQcmVkbWV0YSI6W10sIk5hY2luaVBsYWNhbmphIjpbXSwiRmlsdGVyIjpbXX0=
is
{"TrazeniPojam":"","IDGrupa":"307","IDPodGrupa":307,"Prodavac":"","Okruzi":[],"Opstine":[],"CenaOd":-1,"CenaDo":-1,"StanjaPredmeta":[],"NaciniPlacanja":[],"Filter":[]}
so I guess that it's useless to start hiding data on client-side.
You can encode your data to base64 with atob() and btoa(), and then decode it in the server. Be aware that doing this will only obfuscate your code, and won't make it 100% secure.
Here's some info about Base64 encoding for JavaScript.
https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding
You should forget about having sensitive logic on client side and expect to be safe, there is no way to do that.
Even in case you "ofuscate" the output, that evil user could put a breakpoint before the ofuscation and change values at will.
If you concern is that someone could change the SenderID then, assuming is valid for your scenario, you could validate on server side that SenderID posted is the same that initiated request.
They can change anything on the front end even with this change. Everything sent to the client can be read, including any encryption code you use. It is harder potentially but you are confusing obfuscation for security.
Obfuscation will not solve the problem.
You should make it your priority to get your server side code to validate and sanitise the data that comes from the front end.
http://en.wikipedia.org/wiki/Security_through_obscurity
Base64, the content will be a bit longer, but widely supported, there're also command line tools to decode it.
I think it's safest to just assume that all data from the client is evil and add code on your server to validate and authorize where appropriate. You could encode your data and then decode it on the server, but JavaScript encoding/encryption is less useful than you might want. The attacker could always just open the dev console in the browser, inspect your code, and run whichever encryption method you use on their new malicious data.
i am newbie at developing web Application and like to learn best practices
i want to know what is the best practise to handle the cookie data should one use JavaScript or PHP to handle a cookie data?
1.Do you use javascript to get cookie and than pass it to PHP to do all the filtering ?
2.Do you use PHP to do all of the stuff?
3.Which one of the above will improve performance or is there another way?
should one use JavaScript or PHP to handle a cookie data?
To make this a little more general, let's call this "Client side" (which is almost exclusively JavaScript) and "Server side" (which can be PHP, JavaScript or any other language) code.
The short answer is that: It depends what you are doing with the cookie data.
Most of the time, dealing with cookies server side is simpler.
Sometimes, the information in the cookie needs to be secure, and you don't need to access it from client side code, so you'll set an http only flag on it so that if you suffer an XSS attack the damage is limited.
Sometimes you will want to avoid making a server round trip (to take a trivial example: You allow the user to pick different stylesheets for your website. You don't want to reload the entire page when their change their preference. You use client side code to change the stylesheet currently loaded, and client side code to store that preference in a cookie. In the future, when other pages are loaded, you can use server side code to set a different <link> element.)
Do you use javascript to get cookie and than pass it to PHP to do all the filtering ?
You might use client side code to set a cookie value, and then use server side code to read it. There is no point in using JavaScript to read it and then using some non-cookie based mechanism to send it to server side code. That just makes things complicated and more likely to go wrong.
Do you use PHP to do all of the stuff?
Only if all the stuff is better done with PHP
Which one of the above will improve performance or is there another way?
As is normal with questions of client side code vs server side code: If you aren't loading a new page anyway, then using client side code is usually faster.
It depends on the type of application.
If your application is full request based with PHP as backend, then use can PHP tot extract cookies.
check this link http://www.w3schools.com/php/php_cookies.asp
Or, if you application follows REST architecture or you want send data to the backend using Ajax. Then use javascript/Jquery to get cookie value and send it to the backend server that is PHP or in any other language.
Check this link to know, how to access cookies using jquey.cookie.js plugin:
https://github.com/carhartl/jquery-cookie
In handling cookies, it does not really matter whether you use javascript or PHP, it just depends on when it is more beneficial to access/manipulate them. Server-side stuff always seems more secure, but cookies are always accessible, client or server-side, so it doesn't really matter. You can create a cookie in PHP like this:
setcookie($cookieName, $cookieValue, time() + 3600);
That sets a cookie for an hour, you can then access it through the $_COOKIE superglobal array with array notation, for example
$var = $_COOKIE[$cookieName];
However, keep in mind that this won't work if cookies aren't enabled in the browser, such as when someone uses incognito mode.
In javascript, you can set cookies like this:
document.cookie="cookiename=cookievalue";
However, cookies in javascript are all concatenated as one big string in document.cookie, so the way to break them up into a normal array is with the split function, for example:
var arr = [];
function getCookieArray() {
var value = "; " + document.cookie;
var parts = value.split("; " + name + "=");
if (parts.length == 2) return parts.pop().split(";").shift();
}
You can find more about that here http://www.w3schools.com/js/js_cookies.asp
So, remember, that cookies are not for storing sensitive data. They're often used to store preferences, but never anything that people shouldn't be able to have access to.
I am developing an application that needs to gather information from GitHub, so I began looking at their API. My initial thought was to use the d3.json() function to get the data (because it's simple and has done good things for me in the past), but there doesn't appear to be a way for me to authenticate with that function. For example, $ curl -u "username" https://api.github.com is given as an example of basic authentication (from GitHub API--obviously they use curl for their examples).
So, is there a way to do authentication with the d3.json() function? And if not, what are my other options to get the JSON with JavaScript?
Thanks!
Edit:
I'm experimenting now with using jQuery's getJSON method as shown here, because I started getting the error "XMLHttpRequest cannot load url Origin url is not allowed by Access-Control-Allow-Origin." Of course, the switch doesn't help with the ability to authenticate, but I can at least get the public data (which is most).
Edit #2:
Has anyone experimented with michael/github or fitzgen/github-api? I'm going to start looking into those.
If you have a PHP script which echos JSON, you can do all authentication server-side. Note that you can also send a GET request to your PHP script, so the way you call your script can be dynamic.