Kindly looking to hide code from view code / inspect element is this safe to use ? I saw this anser here How to hide form code from view code/inspect element browser?
eval(function(p,a,c,k,e,d){e=function(c){return
c.toString(36)};if(!''.replace(/^/,String)){while(c--)
{d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return
d[e]}];e=function(){return'\\w+'};c=1};while(c--)
{if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),
k[c])}}return p}('(3(){(3 a(){8{(3 b(2)
{7((\'\'+(2/2)).6!==1||2%5===0){(3(){}).9(\'4\')()}
c{4}b(++2)})(0)}d(e){g(a,f)}})()})();',17,17,'
||i|function|debugger|20|length|if|try|constructor
|||else|catch||5000|setTimeout'.split('|'),0,{}))
In an answer about as useful as the question,
"No".
Most of us can't read the code because it is packed/obfuscated, and won't invest the time to try to read it.
If you're asking if it will prevent the user from opening the Developer Tools, then I don't know, because that would require me trying to run the code, which I'm not going to do, since I can't read the code and it could be malicious.
If you're asking if it will prevent someone from obtaining the rest of the code on your website, then no, it will not. A determined user could use curl or one of several other tools to retrieve the raw HTML or Javascript.
If you're asking if the code pasted above is secure because it is packed, then no, it is not. A determined user could quite easily analyze the code by hand and, once analyzed, write something to reverse engineer the packed code (that's assuming it uses an unknown packer -- if it uses a well-known packer, then someone has probably already written something to reverse it).
Is there a way to prevent the theft of a website's code?
One can never fully block a determined user from analyzing your code, only make things more annoying from them.
Simply using a minifier/uglifier on Javascript is usually enough to make the code mostly worthless to try to steal, since the cost of trying to analyze, rewrite it and further develop it is usually comparable to the cost of writing the same code from scratch.
Related
I'm not a JS programmer. I don't have enough skill to test it myself, so asking for help.
Is it possible to inject script or HTML tag into shadow_root element to check for holes on web?
For example <script>alert("alert");</script>
Maybe something else like by using <content>?
Main question: Is it possible or not?
And additional question: How?
According to what I could dig up in comments, you want to know if your users can inject code in your website pages. The answer is yes, the user has all the rights to play with the DOM in front of him. The easy way is by simply opening your favorite browser's developers' tools.
Do it yourself... Open your developer's tools window here, reach the console and write
document.write("<script>alert(\"alert\");</script>");
As you can see, you can change anything even directly on StackOverflow. But that causes absolutely no harm to others, just you. While you can do that on SO does mean that it is insecure at all! It is just that your browser has full control on what it received...
Now, the question should be more how can I detect possible points in my application where such injection can be harmful.
The answer is simple, never trust client input. The server should always validate the inputs, and make sure there is no database injection possible. When displaying user provided content, one should also make sure there is no hidden code tag that would be ran by the browser of the users looking at the webpage.
StackOverflow is not suited for this kind of knowledge sharing. I suggest you read about website security in general and then find more in depth resources related to your technology stack and the usage you have with your users' input.
Also, if you are asking this for a real job task you have been given. The most important thing to do would be to tell your manager you are not fit for the task. Not because you lack the talent, but because you lack the knowledge. This shows that you are smart enough to see the task as very important (security IS very important) and you are not willing to play with the company's reputation.
See workplace.stackexchange.com if you'd like to know how to best explain that to your superiors.
I'm working on a mvc application (applies to any website though) and was wondering is it ok to leave exposed jquery and javascript in a view? In other words when i run the program and right click and view source I can see all my jquery and javascript. Is that safe and ok? Is there a way to hide all of that so users can't see that? Thanks for any tips.
There is no way of hiding javascript completely from the user. JavaScript is a client side technology. It executes in the browser. If the browser can execute the script, it can also show it to the user.
You can use JavaScript obfuscator software to make the code harder to read, but you can never hide it completely. See http://www.javascriptobfuscator.com/default.aspx for an online example of this.
JQuery and other libraries are also publicy available so there is no harm in the user being able to access it. There is nothing secret about them.
If you have secrets in the code that you want to protect, you should think about putting the affected code on the server if possible instead of doing the processing on the client.
To make it harder for the interested spy to read you can put your scripts inside .js files and obfuscate them. See How can I obfuscate (protect) JavaScript? for more information.
Javascript is is executed on the client, so no there's not really anything you can do to hide it from the client. All you can really do is make it more difficult for a user to read through your code via obfuscation.
What your are looking for is Obfuscation.
There are very different opinions on why you should or shouldn't use it with Javascript.
See How can I obfuscate (protect) JavaScript?
Nope, you cannot hide your JS - remember that the JS is client side scripting and has to be executable at the client which implies that the browser must have access to it. And when the browser has access to it - the user can see it as well :)
Hiding isn't possible, all your JavaScript is needed client side to make your website functional. However you can obfuscate you JavaScript, in other words make in more ugly so nobody can really understand your code, but the browser will.
To obfuscate you javascript code take a look at:
UglifyJS JavaScript minification
hey you can do one thing onload call an action of server side through Ajax call into by returning javascript it will never show in your view source but it can be visible by firebug but its a way to sequre your javascript protuct from others to use it in a easy way i have done it one of my project even by this method you can hide your html too
There's no way to hide it. Anyway there's no reason to do it. If you want to obfuscate Javascript code, you can find software (obfuscators) that make your code more difficult to understand (for a human) and so called minifiers that make your code smaller.
This is a live example of such tools :
http://closure-compiler.appspot.com/home
I am usually downloading several jQuery plugings.
How can I check whether the script is stealing any information (such as user cookie, session id..) and sending to its developer's server?
In php, we are checking backdoor scripts by looking for some functions (system, passthru, shell_exec, etc). Is there any such type of function in JavaScript to connect to its developers site?
Obviously, your first step should be to read the code. There are a number of tell-tale signs you can look for, including looking for URLs in the code, and any encrypted code.
Of course, some code may be too complex to make this a realistic suggestion, particularly if it's been minified and obfuscated, but it should be possible to scan through it. If it is doing anything like this, it'll be using the same functions it uses to communicated with your own site (ie jQuery's ajax functions), so you won't see specific function calls that raise suspicion, but suspect URLs in the code should be checked out, and you should definitely avoid encrypted code (obfuscated is generally okay, but not encrypted).
Secondly, search the internet for other people commenting about the plugin. If there is anything untoward happening, its likely that other people will have noticed it. Avoid using plugins that don't have enough users to get any comments one way or the other.
Finally, use a tool like Firebug to watch for HTTP requests that occur while you're using a site containing the plugin. If it's communicating with base, it can't hide from you; the browser's debugging tools will happily show you what you need to know.
Hope that helps.
I don't think you can do anything else than read the whole code, and check if it is stealing anything.
Another thing you could do, is to search in the codes after words like 'document.cookie' and 'navigator' and other things that are necesary for stealing information.
I know some of you just feel it is as a completely wrong question but I have a few requirements of such kind that's why I am asking this question. I understand that javascript is downloaded by the browser on client side so it's very difficult to hide that.
So now i have a game code completely written in jquery and i want that the user is not able to see the complete code because:
The owner of the games doesn't want to show the game code to the user.
If a clever user reads the code carefully then he/she might be able to solve the puzzle(it's a puzzle game).
So, is it good enough to use google closure compiler or yui compressor to make the code unreadable & secure for the above requirements?
If you think that it's not possible to do this in the situation then please suggest me any other way of doing this. Do I need to completely rewrite the game code into a server side language then convert it to js using some tool?
Javascript is a client language, for that, you will always need to show the code to the user.
What you can do is compress and minified...
same thing as all Javascript Frameworks outthere, check this original version and compare with the minified and compressed version
This is not a perfect solution in any way, just one option: you may fetch the actual javascript code from the server via AJAX requests and make them runnable, eg. by eval()-ing them.
This will still not hide the code completely, but this makes the source invisible in the source code itself.
By the way obfuscating the source is an other practice to make the code unreadable.
I would suggest not having the entire game in js (i.e. download to the client). No matter what you do to obfuscate the code someone will figure it out and post about it. Put all the game logic and puzzles on the server side with rpc calls of some type. This can be something simple as a php script that you send ajax messages to that checks if a solution increment is correct. The php script would then look up the answer and return a response. Of course it doesn't have to be php, use whatever server side tech you are knowledgeable in.
I have an external JavaScript in my HTML page. Is there a way to disable linking to or viewing this js file?
No, there is not a way to do this. It's a client-side scripted language...you cannot in any way hide the a script that's running...not from the people you are probably wanting to hide it from (people who would go after your script are smarter than the average user most likely).
There are a number of tools available to inspect javascript, Chrome's tools, Firebug, any traffic sniffer, javascript unpackers (though debate-ably packing/minifying makes the code less "out of the box" usable).
You can deter people with the packing/minification, but you cannot prevent them from seeing/figuring out the code.
No, you cannot. If the browser is executing it, users can find a way to view it.
You might consider a Javascript minifier/obfuscator, like YUI Compressor, to make the reverse-engineer's job harder.
Nick Craver is correct (vote it), never the less, usually when having such problems with protected code, I use php to do some of it, this way the JavaScript file will be available, but not "human-readable" since it doesn't do all the necessary work...
Just a tip, despite I'm much more a share share king of guy!