Is there any way to prevent a web app from being stored and operated from local file system.
The app has proprietary front end work-space, built with JS & many other libraries, which must be available for usage only if the user is logged in over the domain with active internet.
If any user attempt to save the page and relevant files to local file system and try opening the workspace, it must be prevented.
Is there any possibility to achieve this
If someone really wants to look at the code that's being run, there's no way to prevent it, because it's running on their machine, and they can do anything they want with their machine, including examining network requests (such as from their browser, or from their OS).
If there is information that the client should not be able to access under any circumstances, the only solution is to not send that information to the client in the first place.
Now, there are methods to check whether a script is being run from a webpage or a file, eg:
if (window.location.href.startsWith('file:')) {
throw new Error();
}
But the user may still examine the script and tamper with it if they desire.
Related
Background:
I'm a tech writer at our company. I dabble in Javascript from time to time, and I consider my js skill level to be maybe advanced beginner/early intermediate.
Anyway, we have Help content created by Adobe's RoboHelp (version 2017). The Help content is static HTML5 .htm pages. The Help gets installed into a folder as a bunch of static .htm pages on our users' computers when they install our product. The users open our .htm pages in their browser via the file:// protocol.
Our Goal:
On our first intro page of our Help, we're planning on showing a "What's New" .htm file inside of an iframe, but we only want to show it the first time a user accesses the documentation.
What I Know and Have Tried:
I know on a real web server, I'd probably just use cookies to control this. But on a local computer, cookies aren't persistent, and after the session closes, the local cookie storage gets deleted.
I know that Javascript accessing the file system unfettered is a security no no and isn't possible.
I've looked into the FileSystem API but the things I've read indicate that it is dead and not in the standard going forward.
My Question:
Is there some other way in Javascript to have limited trusted access to a single settings file etc for this kind of thing? If so, what is the best / recommended way that keeps the user's computer secure but allows us to store and modify settings in a limited fashion so the user has the best experience?
Note that many of these users probably won't have access to the Internet at all, since their computers will be on a factory floor, so a solution that doesn't require talking back to the Internet is ideal.
I assume most of our users log onto their computers with a standard (non-admin) level login. How many users on the same computer will vary, and I don't have that info, though I think it's likely there will be different shifts that use the same computer.
I'm planning on just storing something simple, like boolean values (ie True/False for if this is the first time they've seen the What's New page etc).
Some questions:
Does a user login? What sort of information is planned on being stored?
How many users will be using the same computer?
It's not strictly secure. I wouldn't store any passwords, and personally identifiable info in localStorage, however there are some caveats ( Storing Credentials in Local Storage ), https://softwareengineering.stackexchange.com/questions/152763/html5-localstorage-and-encrypted-sensitive-data ( however if it's on a computer not connected to the internet, then maybe something simple with encryption, might be ... okay )
Might have a look at localStorage.
https://stackoverflow.com/a/44358718/2026508
https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage
I want something like this : first time my web page is loaded, I store a function fn in browser's local storage. From then on, whenever a request to my domain is to be made fn is executed before even making that request (but of course after figuring out that the request is to be made to my domain)
Is it possible?
What I think you are looking for is called Application Cache. Application Cache allows you to specify a cache manifest to tell a supported browser that certain files on your site should be cached, and automatically loaded form cache the moment the user visits your site a second time. The browser will check for updates AFTER the site is loaded, so even if you update the manifest file (which is the only way to tell a browser one of the cached files changed), the browser will download the updated files in the background. Then you can choose to reload the page automatically or just let the user use the old cache until the next time they load a cached page.
http://www.html5rocks.com/en/tutorials/appcache/beginner/
This is the ONLY way to load html/images/js or execute js before a single request is sent to your site. This also means if you design your site/app correctly, it can be used even if the user is completely offline.
I hope not since those functions would be the net equivalent of land-mines. Imagine I know a bank merger is going to happen so I buy a bunch of domains that the post-merger company might have, and do something to get traffic to go there which stores one of these functions in the browser cache. The merged bank then comes after me for domain-squatting and I hand over the domain without much of a fight. The script I embedded now runs for any request to the bank even though I don't own the domain, so it can launch a pop-under for my phishing site only when the user actually navigates to the banks website.
You cannot store functions using any of the semi-permanent means of Javascript (local storage/cookies). You could store a function name, which you would then use to determine what function to execute. If you include the javascript file on every page on your domain, then it's possible.
This could be done quite easily by setting a cookie, or storing a value in local storage. If the value doesn't exist, it's the first time.
I've been looking for better ways to secure my site. Many forums and Q/A sites say jquery variables and HTML attributes may be changed by the end user. How do they do this? If they can alter data and elements on a site, can they insert scripts as well?
For instance I have 2 jquery scripts for a home page. The fist is a "member only" script and the second is a "visitor only" script. Can the end user log into my site, copy the "member only" script, log off, and inject the script so it'll run as a visitor?
Yes, it is safe to assume that nothing on the client side is safe. Using tools like Firebug for Firefox or Developer Tools for Chrome, end users are able to manipulate (add, alter, delete):
Your HTML
Your CSS
Your JS
Your HTTP headers (data packets sent to your server)
Cookies
To answer your question directly: if you are solely relying on JavaScript (and most likely cookies) to track user session state and deliver different content to members and guests, then I can say with absolute certainty that other people will circumvent your security, and it would be trivial to do so.
Designing secure applications is not easy, a constant battle, and takes years to fully master. Hacking applications is very easy, fun for the whole family, and can be learned on YouTube in 20 minutes.
Having said all that, hopefully the content you are containing in the JS is not "mission-critical" or "sensitive-data". If it is, I would seriously weigh the costs of hiring a third party developer who is well versed in security to come in and help you out. Because, like I said earlier, creating a truly secure site is not something easily done.
Short Answer: Yes.
Anything on the users computer can be viewed and changed by the user, and any user can write their own scripts to execute on the page.
For example, you will up vote this post automatically if you paste this in your address bar and hit enter from this page:
javascript: $('#answer-7061924 a.vote-up-off').click();
It's not really hacking because you are the end user running the script yourself, only doing actions the end user can normally do. If you allow the end user on your site to perform actions that affect your server in a way they shouldn't be able to, then you have a problem. For example, if I had a way to make that Javascript execute automatically instead of you having to run it yourself from your address bar. Everyone who came to this page would automatically upvote this answer which would be (obviously) undesired behavior.
Firebug and Greasemonkey can be used to replace any javascript: the nature of the Browser as a client is such that the user can basically have it do anything they want. Your specific scenario is definitely possible.
well, if your scripts are public and not protected by a server side than the Hacker can run it in a browser like mozilla.
you should always keep your protected content in a server side scripting and allow access by the session (or some other server side method)
Yes a user can edit scripts however all scripts are compiled on the user's machine meaning that anything they alter will only affect their machine and not any of your other visitors.
However, if you have paid content which you feed using a "members-only" script then it's safest if you use technology on the server to distribute your members-only content rather than rely on the client scripts to secure your content.
Most security problems occur when the client is allowed to interact with the server and modify data on the server.
Here's a good bit on information you can read about XSS: http://en.wikipedia.org/wiki/Cross-site_scripting
To put it very simply:
The web page is just an interface for clients to use your server. It can be altered in all possible ways and anyone can send any kind of data to your server.
For first, you have to check that the user sending that data to your server has privileges to do so. Usually done by checking against server session.
Then you have to check at your server end that you are only taking the data you want, and nothing more or less and that the data is valid by validating it on your server.
For example if there is a mandatory field in some form that user has to fill out, you have to check that the data is actually sent to server because user may just delete the field from the form and send it without.
Other example is that if you are trying to dynamically add data from the form to database, user may just add new field, like "admin", and set it to 1 and send the form. If you then have admin field in database, the user is set as an admin.
The one of the most important things is to remember avoid SQL injection.
There are many tools to use. They are made for web developers to test if their site is safe. Hackbar is one for example.
I have an HTML5 app which is capable of running offline. However, I need to password protect the directory this app resides in to only allow access to authorized users. Initially I was using a PHP login page which set a cookie (outside of the app directory) then redirected to the app directory. The app (JavaScript) checks for the cookie and if it's there it lets the user run the app. If not, it redirects them back out of the app directory.
The problem with this method is that all of the files in the directory are still accessible if referenced directly (which I don't want). I do not want users to have to authenticate every time they hit the directory (it's a one-time authentication process; the cookie is there so that they never have to type their username/password again), and I also want to have a stylized login form (i.e. not using the default browser login box for http authentication).
Finally, because this is an offline HTML5 app, I can't include any PHP code in the app itself.
Any suggestions?
That doesn't sound like something you could do from Javascript. The script would need access to the file system to be able to restrict access to the folder, wouldn't it?
Unless this feature is exposed by the browser via a javascript API, I don't think it will be possible. It sounds like it would be a useful feature though.
Perhaps you could encrypt vital data, but apart from slowing down the application, I'm not sure what good it would do, since all the necessary keys would have to be stored locally as well...
Since the general rule of security on the web is that you can never ever rely on anything that happens client-side (e.g. in Javascript) without a double check on the server-side, this will of course pose a problem when the app is running offline and the server-side is not available :(
Looking at the "make Javascript redirect if the cookie exists" problem, unless I'm mistaken, it would be trivial for a malicious user to edit the Javascript, using for example Firebug, to redirect in any case.
EDIT: By the way, what level of security are you looking for? The "mom won't be able to accidentally access my account"-level (which it sounds like you already achieved), or the "no one, except maybe the NSA, should be able to hack it"-level?
I wrote a web page that displays images from several servers on my network via simple img tags with appropriate href values. The servers require authentication before they will send the images.
It works alright, except on first load the page presents the user with a series of password prompts (one for each server). The user can select the "Remember my password" checkbox, and then subsequent refreshes of the page work without prompting, with correctly updated images. That is, until someone closes out the browser, after which a new set of prompts awaits anyone who opens the page again.
All of the credentials needed are known beforehand, and I don't care if someone could read them in the page source, since this page is in a protected part of an internal intranet site. Everyone with access to this page knows the passwords anyway.
The only browser we're allowed to use is IE 7, so I don't care about compatibility with other browsers at the moment.
Is there any way I can use JavaScript (or some other client-side code) to automatically answer those prompts so the user never sees them?
Thanks very much, in advance.
You can include the authentication in the URL:
<img src="http://paulfisher:tastybacon#internalwebs/path/to/image.png">
Where, of course, paulfisher is my username and my password is tastybacon.
No, javascript can't do this. Here are a couple of options that I've used before to solve this problem:
Change the authentication on the other servers to be either anonymous or integrated.
Proxy in the images: On the server serving the page, add another page that takes in the URL of the remote server. This new page makes a webrequest to the other server and streams the image back. The webrequest can plug in the correct credentials.
Depending on the servers' DNS names, it might be possible to share an authentication cookie across all of the servers. Then you could set up some kind of module on all of the servers to allow the shared authentication.