I'm not a JS programmer. I don't have enough skill to test it myself, so asking for help.
Is it possible to inject script or HTML tag into shadow_root element to check for holes on web?
For example <script>alert("alert");</script>
Maybe something else like by using <content>?
Main question: Is it possible or not?
And additional question: How?
According to what I could dig up in comments, you want to know if your users can inject code in your website pages. The answer is yes, the user has all the rights to play with the DOM in front of him. The easy way is by simply opening your favorite browser's developers' tools.
Do it yourself... Open your developer's tools window here, reach the console and write
document.write("<script>alert(\"alert\");</script>");
As you can see, you can change anything even directly on StackOverflow. But that causes absolutely no harm to others, just you. While you can do that on SO does mean that it is insecure at all! It is just that your browser has full control on what it received...
Now, the question should be more how can I detect possible points in my application where such injection can be harmful.
The answer is simple, never trust client input. The server should always validate the inputs, and make sure there is no database injection possible. When displaying user provided content, one should also make sure there is no hidden code tag that would be ran by the browser of the users looking at the webpage.
StackOverflow is not suited for this kind of knowledge sharing. I suggest you read about website security in general and then find more in depth resources related to your technology stack and the usage you have with your users' input.
Also, if you are asking this for a real job task you have been given. The most important thing to do would be to tell your manager you are not fit for the task. Not because you lack the talent, but because you lack the knowledge. This shows that you are smart enough to see the task as very important (security IS very important) and you are not willing to play with the company's reputation.
See workplace.stackexchange.com if you'd like to know how to best explain that to your superiors.
Related
Kindly looking to hide code from view code / inspect element is this safe to use ? I saw this anser here How to hide form code from view code/inspect element browser?
eval(function(p,a,c,k,e,d){e=function(c){return
c.toString(36)};if(!''.replace(/^/,String)){while(c--)
{d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return
d[e]}];e=function(){return'\\w+'};c=1};while(c--)
{if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),
k[c])}}return p}('(3(){(3 a(){8{(3 b(2)
{7((\'\'+(2/2)).6!==1||2%5===0){(3(){}).9(\'4\')()}
c{4}b(++2)})(0)}d(e){g(a,f)}})()})();',17,17,'
||i|function|debugger|20|length|if|try|constructor
|||else|catch||5000|setTimeout'.split('|'),0,{}))
In an answer about as useful as the question,
"No".
Most of us can't read the code because it is packed/obfuscated, and won't invest the time to try to read it.
If you're asking if it will prevent the user from opening the Developer Tools, then I don't know, because that would require me trying to run the code, which I'm not going to do, since I can't read the code and it could be malicious.
If you're asking if it will prevent someone from obtaining the rest of the code on your website, then no, it will not. A determined user could use curl or one of several other tools to retrieve the raw HTML or Javascript.
If you're asking if the code pasted above is secure because it is packed, then no, it is not. A determined user could quite easily analyze the code by hand and, once analyzed, write something to reverse engineer the packed code (that's assuming it uses an unknown packer -- if it uses a well-known packer, then someone has probably already written something to reverse it).
Is there a way to prevent the theft of a website's code?
One can never fully block a determined user from analyzing your code, only make things more annoying from them.
Simply using a minifier/uglifier on Javascript is usually enough to make the code mostly worthless to try to steal, since the cost of trying to analyze, rewrite it and further develop it is usually comparable to the cost of writing the same code from scratch.
overflow community,
I've read several posts trying to solve the problem, but they dont answer my question.
Is there any legal way to find out what events (?) another site sends?
I dont ask because of illigal buissness and i am ready to find out more myself as soon as i know what i realy have to look for in terms of topic and methods.
In particular its about advertising and finding out if someone registered on another via a referal link. Like a sign that is sent as soon as the registration (on the other site which is not mine) is completed.
I want to find this out during the visit of the client on my site.
I just need to know if such a thing is legally possible and what JS topics i should give a go to find out more.
I hope my post is comprehensible enough. :)
edit: It's not about global variables.
You can use your browser's developer tools to see what's happening behind your back while you're visiting a web page (I recommend Firebug in Firefox). Alternatively, you may use a network spoofer like Wireshark to capture the traffic from the browser and analyze it in any way.
It's all up to you to find the information you think is relevant inside it in URLs, in request headers and bodies, etc. In your case, this would include script generated content and referal codes that may help keeping track of a user's browsing history across domains.
You don't really need Javascript knowledge to do this, but you need some basics about networking protocols.
This is probably as illegal as using a text editor, but just ask your lawyer if you're unsure :D
I think I understand HOW Javascript has to work in order to be O.K. for section 508. But I have been unable to find an answer to a related question: does my site need to work WITHOUT Javascript in order to be section 508 compliant?
To take an extreme case, if users without Javascript cannot log in, does that violate section 508 compliance? And if so, where in the text is that explained?
I know that all content has to be accessible with screenreaders, for keyboard-with-no-mouse users, etc. BUT does all content need to be accessible to users without Javascript?
Recent surveys have found that a vast majority of users that run screen readers have JS enabled, not disabled. Granted, a screen reader does what its name implies: it reads the screen. If a screen reader doesn't know where to read, then it can't do its job. For instance, modal dialogs are probably a bad idea if you're looking to support those users, though including something like form validation probably isn't a terrible idea.
The idea is to keep items on the screen from changing too rapidly. If you update large elements of your UI frequently using JS, you're probably not going to get too great of a response from the screen reader community. On the other hand, if the majority of the JS is behind-the-scenes, then most screen reader users probably won't even notice that you're using scripts.
The list at the bottom of the link I provided above gives some great insight into the biggest problems that screen reader users face. Avoiding any situations where those scenarios might pop up (i.e.: visual CAPTCHAs, complex layouts, rapidly updated UI elements, etc.) will probably leave you in good shape.
And as always, download yourself a screen reader (there are plenty of free and open source readers available) to test out your software.
ADA 508 doesn't require you to have JavaScript. All you have to do is add a <noscript> tag that explains that they can't log in without JavaScript enabled. Then when it is enabled, you should verify that the event handlers that are called have no problems on screen readers.
This site explains the javascript event handlers that work well with most screen readers:
http://ada508.com/
OnClick and simple validation should be fine.
So in short...no, all content does not have to be accessible to readers without JavaScript as long as you have a <noscript> tag on the page.
Section 508 compliance rules do not specify at all whether you use or do not use Javascript. It merely enforces the fact that you must provide equal access to the information you are presenting electronically, regardless of electronic delivery method. For a website, whether that is done by making your website accessible (with or without javascript), a text-only version of your entire website, or a phone number that someone can call that is staffed appropriately and has access to all that information, you have satisfied the intent of the law.
One of the best resources for information on 508 compliance is http://www.section508.gov.
It used to be the case that finding JavaScript on a website meant there was little to no chance that the site in question would be accessible. Thanks to things like ARIA roles and especially focus control, inaccessible javascript is a thing of the past.
In order to make your js comply, you simply have to pay attention to where the focus is, and whether or not your actual content can be accessed by assistive technology. There are easily dozens of resources on this topic, but none so much to the point as Google's Intro to Web Accessibility class. Fear not, it doesn't require much more than an email address, and you can get the majority of what you need in a hurry, should that be your need. Good luck! Accessible js takes a little bit of work, but it is worth it!
I don't mean for the title to be derogatory, but this is a rather frustrating problem, and I'm looking for a good workaround, given a language barrier involved.
I have a site set up for a plugin I wrote, and, rather than use the site's resources to write their own code, I've had people simply rip the code from the samples on the site. Normally, this wouldn't be any issue at all, but they are also taking my Google Analytics instantiation, so my Analytics data is getting very skewed by incorporating visitation data from their websites.
I've been able to contact the English-speaking site owners with little issue. The problem lies in the Japanese language sites that are yanking the code. I have no idea how to ask them to take down the analytics portion.
Long-term, I'm providing a package that streamlines the learning-to-use process, but in the meantime, what can I do about this language barrier? Is there a way around this problem that I haven't thought of?
You could modify the javascript on your pages to only load Analytics if the domain matches your own.
Two ideas:
Don't show your actual GA code on your site. Replace it with some filler code that makes it obvious it's meant to be replaced. Since I'm not sure what your plugin is about I'm not sure how practical this is, but I think there must be a way.
Use Google Translate to give foreign users the option to see your page translated into their own language. Google even offers a tool to add a "Choose your language" drop-down to any page. (And of course make sure the most important parts of your site are in plain, easily-translated English.)
Good luck!
Also, building on Greg's solution, if the domain doesn't match your own, you could alert a message telling the implementer to remove the code, a la what Crockford did with his JSON parser.
I would contact them in English (using plain language), and at the bottom I would add a version of the same text run through Google Translate - with an apology that it was generated by Google Translate and may not be accurate.
The site I'm working on displays some proprietary 3rd party data that's quite valuable. As such they want to stop people copying and pasting their information. They understand that, of course, there's nothing we can do to stop users just writing down info or printing it off, but they want to make it as difficult as possible for their data to be taken. The other big concern is performance. The site sees a healthy amount of activity, so keeping it snappy is a big deal.
I was hoping to get a bit of feedback from you guys on the best way of accomplishing this
Some potential solutions that have been suggested:
Use a bit of javascript to stop users hitting ctrl / right clicking (irritating and won't stop more advanced users)
Use flex (very slow, but very safe since the data is binary)
Create or find some funky html to image converter and display the data as images
Your thoughts and opinions are very welcome.
Thanks in advance!
Charge the users for access to the information.
You can try all sorts of code workarounds, but you really aren't going to stop anyone who is determined. By charging, you limit access to people who really need the information and if they copy it, then at least you've been reimbursed. It also filters out a lot of the people who would use it maliciously. Also, put a legal notice on the information detailing how it can be used so that you can follow up copiers with legal action if necessary.
This really sounds like a serious problem with the origins of the question. If this is something that shouldn't be easy to copy, why is it visible at all?
If its really proprietary, why is it a good idea to post it on the web?
Seems that an internal webpage would be more appropriate.
It is a tricky situation, since this is the web...
You could use a very small bit of flash to display the sensitive data, which you'd have complete control over, and if it's small, shouldn't hurt your download times. This would probably be my preferred method.
Option #3 would stop people from copying and pasting, but it wouldn't stop them from downloading the image. I'm not sure if that matters to you.
Do you need to serve audiences that have javascript turned off? If not, you could use AJAX to pull the sensitive information in the first place, then use a script to stop them from copying that div or whatever.
You might want to check out Tynt Tracer. It doesn't prevent copying, but at least allows you to track where it's going...in part anyway.
You might look at the option 1, as a "bare minimum" way of doing it, but admittedly it isn't a great option, as simply disabling JS gets around it.
Your third idea would also work, but you can actually make it easier to save by going to the image and the way they are stored in temporary internet files.
Also, as a side note, to prevent printing you might want to specify a print only CSS that hides all content.
body {display:none;}
It isn't perfect, but again stops the casual user from printing.
Charging money for the content is a good answer, but I'm guessing you're already charging for the content.
#2 is clearly the most secure option, and the most flexible, allowing you to really punish yourself as much as possible as well (do things like implement over the wire encryption etc...) So it should come as no surprise it is also the most expensive to implement.
Given, someone can just decompile your code and inspect memory, but at that point, it is doubtful you are going to stop anyone.
Offer the information for download in password protected pdf, where the only thing that they can do is to view it, no printing, copy paste, etc. Although you can't stop a print screen. Primo PDF can do that for you and is free. http://www.primopdf.com/
They key here is the that effort it takes to bypass any solution you choose, is greater than the value of the information you are trying to protect from being copied.