Is it possible to detect and get proxy server name and port in javascript?
No. The browser proxy settings are not available from JavaScript running in a web page.
Maybe. The browser proxy settings may be available (in some web browsers) from JavaScript running with elevated permissions (for example, a Firefox add-on).
For what it's worth: While you're asking about JavaScript, getting access to the browser proxy settings even from any kind of browser plug-in such as a Flash or Java applet is also not possible, or at the very least not in any reliable or compliant way.
I mention this only because sometimes such plug-ins provide viable workarounds when JavaScript can't do something ... but here I think you are S.O.L.
Perhaps you could tell us a little bit more about what you are trying to accomplish? Maybe there's another way to address your needs.
Related
I have a website where I want to ban all users not using a chrome and derivatives, firefox and derivatives, safari, or a new version of opera (IE and other old browsers may compromise security). Is there an absolutely foolproof way (so that even a hacker couldn't spoof their browser) to do this in JavaScript on the client or server side?
No, it can't be done reliably. You could use some complex JavaScript timing runs and compare the time to execute for the bank of tests against the known timings for each browser and version. Obviously this would have to be tested on a ratio basis to rule out differences in hardware performance. This would not, however, be foolproof and would require "fingerprinting" performance for every single browser version and make that you will accept and would need to be constantly updated as each new browser version was released. This is not a foolproof method and is generally considered a very bad idea. It can also result in false positives which will cause people with compliant browsers to be denied access based on variability in your JavaScript fingerprinting tests.
Hardening your server is a much better way to go and using simple browser identifiers like navigator name will provide the results you need. The trouble with trying to design a foolproof method is that, even if you get it to work, a cagey hacker can still get you. Hardening the Server is the only real way to secure your site.
This is a terrible security method
You should not be banking on the fact that a user is visiting your site from a particular browser. You should instead choose to either allow functionality to those compliant browsers and disable it to others via signatures (the part the browser sends which helps identify the particular browser type).
Most importantly, you should never leave a vulnerability in your application! If you know it's a vulnerability in different browser types, fix the problem - don't try to hide it. People will always find a way around a hidden problem. Easy fix? Make it so there is no problem to hide!
Is it possible to use pure JavaScript to sign XML documents in the browser?
I believe there are hard security restrictions here, but maybe there is some way of doing that.
Here is a solution based on Web Crypto - https://github.com/PeculiarVentures/xadesjs
If you mean the XmlDSig which involves accessing the local cert store then I am afraid that currently there is no way to have a reliable Javascript code that could access the cert store at the client side and use the private key of the certificate.
Hundreds of developers would die for such technology, however, the Web Crypto API is still a draft and is not implemented by web browsers.
To sign documents at the client side you still need an OS bridge
a browser plugin - possibly a most difficult route as writing plugins for all possible browsers for all possible systems could be an overkill
a Java applet - considering Chrome has just dropped the support for NPAPI (plugin API), this seems to be obsolete. Mozzila will drop the support soon, too.
a ClickOnce application that is run by a client .NET platform - that still works, however is limited to OSes that support .NET/ClickOnce
If you need more references, Google for "javascript access certificate store". Example SO threads:
How to access windows certificate store in javascript?
Access browser certificate store using javascript
(these and other threads also support the argument that this is currently not possible)
I am looking for the same functionality.
As of now I found https://github.com/yaronn/xml-crypto
but did not tried yet.
For just signing (not XML) with x509 certificate I sucessfully used https://github.com/digitalbazaar/forge
If you need signature in a browser, maybe you need a specialized solution?
For example, this: https://www.cryptopro.ru/products/cades/plugin
(Use google translate).
I have an idea for a web application and I'm having some javascript trouble.
Suppose the application needs to get a client's website url, show it (in an iframe or something). And then it should be able to temporarily tweak its design with Javascript which I assume is called Javascript injection. (Something similar to what the Developer Tools of browsers can do.)
So the question is: Is this cross domain javascript and if so, what solutions could I use?
, and what's the easiest way?
On a related note: What if the user adds some of my application's javascript code to their website (like how some APIs work), Would that help in any way.
Thanks.
same origin policy does not apply when you are armed with the proper knowledge of how modern web browsers work (IE8+ and of course all the other ones are always ahead of IE)
I specifically tackled this problem by using postMessage and iframe for cross browser communication. This technique works in IE8+ and all modern browsers. Also, ensure you are setting your privacy policy in your headers for 3rd party cookie support in IE.
You can see this working live if you go to kitgui.com and try the demo. You can also use this for free.
If they are including your JS in their page, then the JS is running from their page and you can just use standard DOM.
If they aren't, then the same origin policy will prevent you from touching their site.
This is cross domain. So the solution: Server Side Languages
PHP, ASP.Net, Ruby on Rails, etc. Load their website via that and then you can touch it because it will be a copy on your site. I will warn you though, this can be very difficult when using libraries like CURL (at least in my experience with PHP's CURL).
You culd use bookmarklet to add your javascript code to client's webpage. Like firebug lite does.
I am trying to develop a web page that will allow user to edit registry settings in windows system. Can i achieve it with client side scripting language.? If yes please suggest me language to do.
Can we do it with jQuery or any other type of library.
Due to obvious security concerns, this is only possible in Internet Explorer(!). This is not a jQuery library, but an activeX control; so it's quite unpleasant to use.
You have been warned, so here is the documentation :
http://technet.microsoft.com/en-us/library/ee156602.aspx
Fortunately is impossible to access the registry from a web app: the only way you have is through an ActiveX control but I would not go down this road.
have a look at the below
Access registry from a web aplication
Far from ideal but ...
If you serve up a ".hta" file (HTml Application) from your web server, Windows will run it as a program outside of IE and give it the privileges of the PC user. It will be in a separate window and there won't be any browser features (Back/Refresh/Address bar etc).
Even then, modern versions of Windows will prompt the user with security warnings if a HTA is launched from anywhere other than a local drive.
I know this thread is old, but I am not sure I like any answers for this problem. Instead of trying to access the Registry directly through Javascript, try writing a Java Applet and talk to the java applet using Javascript. Then in the JavaApplet you can write some JNI code to write a native dll to do what you need. It isn't a direct solution to your problem, but it will allow you to do what you need across multiple browsers. The downside is that you can't use it on browsers that do not support running a Java Applet, such as a mobile platform.
This method will also require you to sign your Java Applet. This is how you get around the security issues. The user will have to accept the applet the first time to give the security access.
Is there any way I can use HTML5 and JavaScript to modify a file on my system? I'm OK with running Chrome or Firefox with specific options or opening permissions in some other way.
Ideally I would like test this by having my browser rename a file on my desktop.
Yes, you can do this, this link details some of the available functionality:
http://www.html5rocks.com/en/tutorials/file/filesystem/
Just remember, it's not supported in the major browsers yet, and it's likely when it is many of your visitors will not upgrade for quite some time.
No, as this would be a security vulnerability. As pointed out there are sandboxed file systems, or local database storage in HTML5, but not access to the whole file system.
You could achieve it with a certified Java applet, if you really wanted to achieve it through the browser. To be honest the browser is not the best place to be trying such things.
VBScript should be appropriate in your case. You will have to lower your internet zone security level though.
Once it's done just use ActiveXObject("Scripting.FileSystemObject") and its MoveFile method.