how to get hostname from Javascript, so that user cannot spoof it? - javascript

Though we can get the hostname from the javascript by using window.location.hostname but the other user can download the js and pass it as constant valid hostname, I'm working on something for which I need to know where the script is hosted and the user of that js cannot spoof it.
One more solution which i thought of is using request.headers.origin but that also can be spoofed.
Is there any such solution by which I can get the hostname where the js is hosted so that I can restrict unauthorized use of js hosting.
I tried googling but couldn't find any solution. The solution which most people suggest is to obfuscate the js code after passing it from js only.
Can we do better?

You can't.
Everything that happens in the browser is entirely under the control of the user.
If you don't trust the user, then you can't trust any information you get from the browser.
You should find a source for the information that doesn't depend so heavily on the browser (e.g. generating the information server side and then associating it with information from the browser via the use of a session).

Related

Use JavaScript to crawl a website -> Possible and which IP is shown on the crawled site

it is possible to crawl a website within an Angular-App? I am speaking about to call a website from Angular, not crawling an Angular-App. If that so, then I am wondering which IP will be shown on the crawled website. Since JavaScript is client-side, I would suggest, its the IP of the client, not of the server (like probably at nodejs). But all I know, its mostly browser-implemented stuff what we can use in JS, so it is even possible to crawl websites with methods from JavaScript (or Angular)?
Best Regards
Buzz
In theory, you can create an AJAX request to fetch the data with reponse type text/html. That would give you the remote document as a string. The browser wouldn't try to load the JavaScript and CSS in that document, though. That might not be a problem but CORS is. For security reasons, most browsers prevent you from loading data from somewhere else (otherwise, it would be too easy for criminals to put JavaScript into any web page). See here for details: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
If you have control over the second domain, you can configure the server there to send Access-Control-Allow-Origin headers to the browser to allow access from the Angular App.
Note: You could use an iframe to load the other website but when the domains of the current document and the one in the iframe don't match, then you can't access the contents of the iframe from JavaScript.
One way to work around this is to install a proxy on your server. The browser can then ask your server for the pages in question. In this case, the remote web site will get the IP of your server.

Restrict API Usage

I want to put a restriction on my API so only registered users can use it on their websites. The javascript will be used on their website by pasting it into their html. Right now I use a token for each user but it's visible to the public on their site so anyone could copy it. It tracks usage but doesn't restrict it to only their site.
My first thought was to get the HTTP_REFERER variable from the http headers on the server and make sure it's from the domain registered by the user. This won't work because HTTP_REFERER can be blank or changed.
My second thought was to use JavaScript in the pasted script to get the document.location and pass that back the to server. That can also be tampered with so it is unreliable.
I'm looking at OAUTH2 now as a solution. I don't know much about it besides it's used for SSO. Looking at this JS OAUTH2 Lib too: https://github.com/andreassolberg/jso
Could they be used for what I need to do?
One requirement is that the script is pasted into the HTML. There shouldn't be any other configuration on their site that needs to be done.
What other solutions are their for this?
There shouldn't be any other configuration on their site that needs to be done other than pasting your javascript ?
Well, then probably OAUTH2 is not what you are looking for, OAUTH adds the concept of an authorization server to your web API and the complexity increases.
http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
if you are not looking to authorize users but just identify domains that can consume your api from javascript, enable cors and add an attribute to specify which origins are allowed to access the resource. Example :
http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api
Thanks.

XSS - Send data to the source server of a script?

I am writing a JavaScript application where I plan on host the code on a CDN. Now I plan to include this code to my clients' sites. However, I have a problem, I want to use AJAX to communicate between the client and the server. Now, from my understanding of XSS, this is not possible.
Ex:
User visits site.com, where a script tag's source is pointing to a file on cdn.somedomain.com
The script on cdn.somedomain.com fires an event.
This event will communicate with a PHP. I know it is possible for the script from cdn.somedomain.com to request documents on site.com. However, is it possible to send data back to a PHP file on cdn.somedomain.com?
Thanks for helping an entrepenuer! :D
The short is I think this is possible, but it depends on a couple of things. The same origin policy is a weird thing in that it won't allow cross domain reads, but will allow cross domain writes.
I think a way you could accomplish your goal is by making a GET request (minimally by creating an iframe, img, or whatever else that pulls a src) or possibly even using AJAX. If your goal is to only send data, then that should be fine. However, if you want to read this data back then I think that'll be a little less straight forward. I can't really answer that right now - especially without knowing more details about your system setup.
Sounds like a weird use of a cdn. Normally cdns serve static assets, so you wouldnt put a php file there. In fact the cdn wouldnt normally run dynamic server side code at all.
You can address the problem in several ways. Newer browsers support CORS and cross domain ajax. The cdn would then have to use the Access-control-* headers. You could also look at something like easyXDM, which works in older browsers.

What are the best security measures to take for making certain directories private?

I have a directory on my server that I do not want Search Engines to crawl and I already set this rule in robots.txt
I do want people that have logged in to be able to have access to this directory without having to enter a password or anything.
I am thinking that a cookie is the best thing to put on users computers after they login, and if they have a cookie, they can access the directory. Is this possible, or is there a better way?
I want people without this cookie to not have access to this directory - access for members only
Any suggestions on the best design for this?
The answer depends on the webserver used and, if any, also the server side language. Judging your question history, I'll bet that it's Apache HTTPD.
If that is true, then you can just put an .htaccess file in the folder in question to control the access by HTTP basic authentication. If you want more flexibility, you'll need to control it in the server side language in question. Basically you just need to store the logged-in user in the session and check on every request if the user is there and if it is allowed to do the request.
That said, since you tagged Javascript as well, it might be good to know that JS is a client side language and thus can be fully controlled/disabled/spoofed/hacked by the client. Forget about it when talking about security. JS is generally only good for progressive enhancement of the webpage.

How can I use JavaScript to identify a client?

I have a problem where I cannot identify visitors to my intranet page because their browser is configured to use a proxy, even for the local intranet. I always see the proxy IP and no other details about the client. The SOE that my company uses has the proxy set up already for Firefox and Internet Explorer, and I cannot ask them to reconfigure their browser because that is fairly complicated. I have tried using the PHP $_SERVER['REMOTE_ADDR'] and also one called $HTTP_SERVER_VARS['HTTP_X_FORWARD_FOR']. In fact, I wrote a page that lists both the $_SERVER and $HTTP_SERVER_VARS arrays and there was nothing informative of the actual client connecting. This is why I think it needs to be done on the client's side.
I'm not looking for a secure solution because it is only a simple page, so I was hoping that I could use Javascript or something similar to find something revealing about the client and send it to my intranet page as a GET variable. It's basically for collating statistics. It is no use telling me most of the visitors are a proxy! :)
I also want to avoid having users log in if possible.
You could use a cookie with a random, unique ID that's set upon the first entrance, and then used for identification. Could be done either in JavaScript or in PHP.
I am pretty sure there's no universal way to do this otherwise the whole concept of anonymous proxies go down the drain :)
My advice would be to ask your IT department to configure the proxy to populate the HTTP-X-FORWARD-FOR, REMOTE-ADDR or some other identifying header.

Categories

Resources