I am currently working on securing my javascript code. I am using Asp.net 4.0 When i was checking my mail on gmail I just right clicked & selected view source & It just showed me <html><body></body></html> . Can i implement this type of security in my application or any other best security feature that will hide/encrypt my javascript code
No, short of obfuscating it, there's nothing you can do to prevent somebody from seeing your code. Even then, obfuscating it only makes it more difficult to interpret, not impossible. Javascript is interpreted by the client's browser. The only way for it to be executed is for the source code to be available to the browser at runtime. In order to "encrypt" it, you would need to then provide the encryption key to the browser which would defeat the purpose of the encryption all together.
Related
It seems to be simple to find but when I searched for this I only found how to enable or disable Javascript on your browser. There are many websites which make it compulsory for Javascript to be enabled and I want to know how. Is there any setting? I want this facility on a website developed using PHP.
This question explains some great solutions for checking whether or not JavaScript is enabled.
You can take those answers and try to implement them. You can do what Marc Gear said
There isn't a good way to perform server-side JavaScript detection. Instead, use JavaScript to set a cookie, and then test for that cookie using server-side scripting upon subsequent page views; deliver content appropriately.
However on the first visit there would be no good way to test for Javascript, so you could use the <noscript> tag to possibly display some alternate text like "Pleas enable JavaScript then reload," though that solution doesn't really let you control whether or not java script is enabled.
In the end, there is no way for you, the server, to enable JavaScript. It is a client-side seting that the user has complete control over. You can only check to see if it is enabled, and if it's not, then encourage the user to enable it.
I am developing a web application in Django. Vital to this application's core functionality is taking user generated JavaScript and submitting it through a form into a MySQL database. This JavaScript code will then be served into webpages that anyone will be able to see, where it performs some calculations behind-the-scenes. I know this is very dangerous because of XSS and perhaps other reasons, but is there any way that I can do this safely? Has anyone ever done this or seen it work successfully?
Also, the most important thing that the JavaScript needs to do is math. Maybe there's a scripting language that doesn't have all of the power of JavaScript that can still run in the browser? Then I could sanitize the input making sure it is that math language and nothing else.
I am doing some R&D to define all the technologies involved for the developement of a multi tier application that has html5 as browser frontend.
Now I plan to write all the client in html5 css js, having a middle tier my "real" code is anyway safely at server side, anyway for different reasons there could be a reason to hide the javascript in my web pages.
Minifying it is a way to make it less readable, but is there a simple way to "hide sources"?
The js files will typically be on webfarm,but in same cases there will be an enterprise installation, and this is why i am invesetigating a way to "hide the code".
Thanks.
No, you cannot hide JS source code. If some one wants to take a peek at your JS source they will be able to.
Minification + Obfuscation are things you can do however. Note that these techniques don't protect your source, they only make it difficult to read through your source.
You cannot hide your JS. It will always be visible as long as it is downloaded from your server.
You can use some techniques to make it harder to someone to read your code. These include:
minify and obfuscate (like you pointed out). Using agreesive mode in googleClosure makes the code pretty hard to read.
interpolate client side code with server side.
Getting part of your client side code with AJAX
This only makes "reverse engeneering" harder, not impossible, specially if someone is patient enough to follow the breadcrumbs.
UPDATE:
There is an alternative way to "hide" your code. In browsers that support extensions, you can develop an extension with most of your app core funcionalities and use JS to interact with the code. Most browsers support extensions with external dlls. However, this will "force" your users to download your extension to use your webapp which might not be a good idea.
Minifying JavaScript does not in any way hide it, any developer would be able to reformat it in seconds.
By definition, there is no way to hide your JavaScript. Any code that is available for the browser to execute is available for the user to read.
We have WCAG standard means site should run without javascript.
http://www.w3.org/TR/WCAG/
Is it possible to check WCAG is enabled or not in PHP?
When javascript is disabled :- I have set some php session variables
When javascript is enabled :- I want to reset those php session variables
How can i do that?
WCAG is a set of guidelines, not simply an on/off switch. It highlights best practices to ensure that your site is accessible to people with disabilities can use it. At a high level view, the JavaScript requirement is in the standard because back in the day, not many assitive technology devices or programs could interact with JS. So, the user would experience the site if JavaScript was disabled. This is why it is important to have good <noscript> tags for scripted elements versus having rude comments.
Today popular assistive technology can interact with JavaScript fairly well. It all comes down to what you are doing with JavaScript and how you script the actions.
W3C has provided 37 techniques to use for client-side scripting. WebAIM's JavaScript Accessibility article has a lot of information in it.
If you ask about whether or not it's possible to detect on the server-side if Javascript is enabled, then the answer is: technically no.
As the server process is not within the browser process, there is not way for the server to inspect if a feature or setting in the browser is enabled / exists.
You can however try to mimic that. E.g. scripts are not going to be loaded from the server-side if javascript is disabled (normally). Also you can insert javascript that will do specifically crafted requests to your server so that you know something is disabled.
<noscript><img src="http://example.com/session-trigger-js-disabled.php?.gif" width="0" height="0"></noscript>
<script src="http://example.com/session-trigger-js-enabled.php?.js"></script>
Note: $_SESSION in PHP can be blocking. The <script src="url"> tag is also blocking, so take care that you're not creating "deadlocks" that will decrease the user-experience with your website.
A more lightweight approach might be to set a cookie and change it if javascript is enabled. Cookies can be read out by PHP, their nature is not blocking and you don't need to waste session for that.
What is javascript injection? Is it similar to SQL Injection?
How can I use javascript injection in software testing?
JS injection is running javascript from the client-side invoked by the client. You can do it in a browser or in console like in chrome. In testing it can be helpful because you can interact with live web apps without having to rewrite, recompile, and retest. It can also be quite useful in hacking by altering webpages while you are on them, i.e. making a weak password validation script always return true granting you logon access. In chrome, press ctrl+shift+j and go to console. There you can play around with some javascript and see how it is for yourself. Other browsers use the url bar like:
javascript:alert(some element = some val)
XSS is usually the attack to read up on when one talks about javascript injection. Basically you load malicious javascript into a web page that can be later used for phishing.
I don't think there are great javascript tools that can uncover XSS vulnerabilities. When it comes to security it still needs a person (preferably security expert) to come up with testing possibly with the help of tools.
While most of the people here reffer to client side javascript injection (aka cross-site scripting)
The expression "cross-site scripting" originally referred to the act of loading the attacked, third-party web application from an
unrelated attack site, in a manner that executes a fragment of
JavaScript prepared by the attacker in the security context of the
targeted domain (a reflected or non-persistent XSS vulnerability).
Wikipedia
with the rise of NoSQL we have a new kind of injections -- serverside javascript injection SSJS which in some sense very similar to SQL injections. Consider to look at this paper (pdf!) that describes both of them.
You could be referring to how you can open up any web page's javascript in a console like firebug and overwrite the functions defined there. by doing that and adding additional code (or removing) you can output data that is supposed to be "encapsulated" in closures... it really can go much further than that, though.
in some browsers you can even do this in the url bar if you don't mind writing in one single line
NOTE: cross site scripting which is something i totally forgot about until nonnb mentioned it. haha duuuhhh