Essentially I want to store a variable in the client that I don't want people viewing or changing.
In the following code example:
(function () {
var foo = 'bar';
})();
Can anybody use tools or the browser to access and/or (more importantly) change the value of foo? Links to more information or tools that might do this would be appreciated. I'll be researching more in the mean time.
Thanks in advance
Yes they can modify the values of foo. As a general rule, if you don't want the client to manipulate the value, don't give them access to it (I.e. put user id's or this type of information in the DOM or client side). You may have to do a bit of state management research, encrypted cookies, sessions or if you're using ASP.NET the ViewState/ViewBag etc.
It is possible to inject javascript into any page, and from there you can manipulate every javascript object/variable on the page. Therefore any data that the javascript is receiving should be encrypted (if security is your concern).
To give you a little hint, try open your developer tools. In chrome, Control-Shift-I. Click the scripts tab, then you will see all the variables the scripts is using. It is possible to double-click anywhere within the script and add/remove pieces of code.
F.Y.I if you are using Firefox, I highly recommend Firebug. It surpasses chrome's dev tools, but I find chrome faster.. At least on my slow laptop (Ubuntu FTW).
Hope this helped
Related
I want to make the Right-Click don't work in my website or give a error that says: Protected Content! The reason I want to do this is because I don't want others to see my Source Code. I know that you can make the Right-Click to not work but I am not pretty sure about F12. If there is no way to make the F12 key to not work is there any way to hide the Source Code form others? I saw a similar website today. If you right click on this website you get this:
F12 works in this website but the Source Code is hidden anyway. How can I archive similar results? Thanks for your time :)
Answering the question overly honesty:
First you must avoid publishing the site on the Internet. Make it available only on your private machine(s) you have total control of. Make sure there are no USB ports exposed to users etc. Also, no internet access of any kind. They may just download some hacker tools this way. If you do not need text input, even better, keyboard can be used to type in some hacker tools as a source code and this way steal your precious sources.
Next make a custom build of a browser. You may want to use tools like Electron instead of generic browsers this way you will end with app that runs only your website and has no developers tools nor address bar nor anything other that may be used to gain access to your precious source.
Install Linux, create new user account with minimal privileges (no write access anywhere) and let it use X without any window manager. Only your electron app with your precious website and no menus that could be used to access some hacker tools like text editor that may reveal your precious source code. Also, configure the account to have complex random password so that users do not start another session in text mode and see your source code.
Remember that hackers may use means like timing attacks, side channels or other hacky means of stealing your code. To prevent that cover walls of the room you store your computer in with a metal grid to make a Faraday cage. Check all people entering and deny them bringing any electronic devices with them. Same for analog photo cameras or paper notebooks. Better safe than sorry: they may reconstruct your site source code based on how it looks like.
Or just accept the hard truth nobody cares about your website source code. There is plenty of places you may copy paste your code from and your website is not the most interesting one. And if you do that to prevent hackers, you have to write secure code (and test/audit it), not to hide it.
Short answer: Browsers, which render your website, are a client-side technology, and there is no way you can control who is going to see or not see your source code.
Long(er) answer:
Browsers download your website, together with it's source code the website onto users computer. Which means they can manipulate it however they see fit. There are some scripts that can ban right click or other types of interactions, but if you try to stop developers from inspecting code (and if they are ispecting, it's a good bet they are developers) they will find a way even if you block f12 or right click. You can always download website, use crawler, open in notepad, etc. etc.
You may want to investigate minifying and/or uglyfying HTML code, but it's no cryptography - again, if someone wants, they will find a way to undo that.
Also, I'm curious, why would you want to do that?
You can do this using window events but still there are ways to read your code.
For example fetching js without execution or disabling js in browser for a moment.
window.addEventListener('keydown', e => {
if (e.key === 'F12') // detect f12
e.preventDefault()
})
window.addEventListener('contextmenu', e => e.preventDefault())
Is there anything different in what you can do with eval v.s. what you can do in the browser developer console? is it not safer to use eval, as at least, your code evaluates the user input in a certain context, and, it can also log (and scan) the input prior to execution....
Browser console and eval() are two different things...
in my opinion can't be compared just like that.
Browser console its built into browser (and as it, it's browser specific javascript interpreter)
Lets you execute code besides many other things.
firefox The Web Console: Logs information associated with a web page: any network requests,
JavaScript, CSS, security errors and warnings as well as error,
warning and informational messages explicitly logged by JavaScript
code running in the page context Enables you to interact with a web
page by executing JavaScript expressions in the context of the page.
*The Browser Console is like the Web Console, but applied to the whole
browser rather than a single content tab.
google-chrome The Chrome DevTools Console panel is your focal point for direct
interaction with a page in real time. The Console lets you use
standard JavaScript statements and Console-specific commands while a
page is live in the browser to help you debug the page. View
diagnostic messages, display both raw and structured data, control and
filter output, examine and modify page elements, measure execution
time, and more.
eval() its a javascript method
The eval() method evaluates JavaScript code represented as a string.
So yes, there's a BIG difference between them and what you can do...
...but most important is how you do it.
Now, you ask about security implications with both "options", but I think this is too ambiguous in the way you pose the question, could be user specific answer depending on how we interpret about what you're trying to clarify..
I believe you will need to clarify/elaborate a little more your question and give us some real examples of what you're after.
or maybe not, and this mini explanation is enough to clarify your doubt
I guess using eval within your code runs in the context where eval is being called in your code, whereas the developer console can only access globals, and hence can only access your code-as-written but not necessarily live data created by its execution, but am not sure about that nor about loopholes.
I need to find a reference to a global variable, K, declared in an HTML page that is displayed inside several layers of frameset.
The most succinct way I can describe what I need is to paste a screenshot and ask that you provide as an answer the code I can use to access my entry point. I intend to paste your correct answer into single or multi-line console mode in IE8's Dev tools.
Sorry about the questionable quality, it's a screenshot taken from my access to a system via Remote access to a machine hosting a virtual OS, through a virtual gateway.. o_O
EDIT: Sorry, I forgot to mention that the blue highlighted Node is the frame containing my page, and variable K.
Does anyone know of any console emulator (preferably made in javascript or jquery) that would allow me direct access to the browsers javascript console that would be found in the developers tools in chrome for example? I have been using jq-console but that only emulates a terminal, very useful so far. However it only emulates a terminal and doesn't provide access to the browsers js console. I need this so that users have a front-end web based access to the console without having to open the developer tools or something similar, so they have access to the variables and objects available in the browsers js console. I had thought of loading the data into the memory of the jq-console instance however i think this would be a cumbersome process and i don't really know how to go about doing it without the information being directly entered into the jq-console instance. any help or guidance would be greatly appreciated. thanks in advance!
direct access to the browsers javascript console
No. Not without opening the console manually, and also you cannot do much more than logging messages. Any emulator will not use the native console.
web-based front end console at CodeAcademy.com
Have you looked at their source code? You can write such one yourself, too. Or have a look at EloquentJavaScript's console script (using Mochi and Codemirror).
a browser console
…is not possible without only emulating it. However, you can use FirebugLite for that, which promises the same look-and-feel as the native Firebug. Also, Opera's Dragonfly is written in JS, and it is released as open source so you might adapt (parts of) it.
I was wondering if there was a way I can get a json file (currently using $.getJSON) without showing the get url in the 'view source'
Not really. I mean, you could derive it from something else via a complex function, but even then, it's there, just obscured.
And if you did, someone could just as easily snoop the file path using the browser's built-in diagnostic/debugging tools as they could from View Source (the "Network" tab in Chrome, for instance — all major modern browsers have debugging tools built in now). Here's me snooping on the path Stack Overflow uses to give details of upvotes/downvotes (for those with enough rep to see the breakdown):
Or they could use the debugger (see the "Scripts" tab) to inspect the string variable the calculation ended up with. Etc. Basically, if the browser knows enough to be able to retrieve the resource, the user can find out what that path was.
The only thing I can think of is to use a plug-in, like Flash or Java, to retrieve the resource and then display it. That would raise the bar a little (the path would still be accessible to anyone with a network analyzer or proxy).
Nope. Security through obscurity is never a chance.
You could make harder to reuse it by adding some referer check on the server side, though..
Or by using some "signature" token, etc.. (if you want to prevent people using it as a webservice).