I have a website hosted in ISS (can be other) that loads when it's called on localhost but not from extern :) like: http://:8081/Website.html.
The verification whether the website is called from localhost it's on the client in a js script that I can’t modify as it’s encrypted.
So I was thinking at two options:
Develop an ASP application that has a remote desktop connection to the machine that host the website (not some many example on how to).
Maybe configure the IIS configuration (didn't found how)
I'm out of ideas
Do you have any other solution or can you point on how can I do one of the above?
I have tried the WinForm solution from here: https://www.codeproject.com/kb/cs/remotedesktop_csharpnet.aspx and it doesn't work. And I prefer a website.
Updates:
The only working solution that I have for now is to configure a Remote Desktop Services (Web Access) as I hosted the application on Server 2008 R2. Then I only shared the browser that has the localhost page as default page
The javascript files are all minified and encrypted, meaning that if I search localhost as a word in all the files, nothing shows up. So fixing the client will be hard.
Is it possible to create a new Site Binding on IIS and access the site using the binding hostname? This requires your network DNS to register the hostname to the IP Address.
I assume you are dealing with encrypted(???) javascript that is hardcoded to display DOM only if it is loaded from localhost.
If by encrypted you mean minified you should still be able to find reference to "localhost" and modify javascript in minified version. If it is really encrypted by a wrapper of third party javascript library then I would suggest you to rewrite javascript. I mean how can there be any quality code in javascript code that is hardcoded to load only from localhost?
Fix the client and stop exploring other solutions like remote desktop connection. None of them are practical and sustainable solutions.
I think you need to use WebRTC, but it's supported for Chrome and Firefox. It allows two users to communicate directly, browser to browser using the RTCPeerConnection API.
Related
I have made some cookies using JavaScript. The code works but I understand that they need to be run using HTTP or some other protocol. The most obvious answer would be run the website using a webserver but that seems like a bad option for me as I am on a school network with restrictions and I need to make my website distributable so that I can send it to the exam board.
Background: the website is made-up of notepad documents, converted to html documents. So open them with browser and the webpage is displayed. But the cookies don't run properly so I need a way to make the cookies work without a webserver if possible.
I was thinking maybe there is a piece of development software that lets you view your website using protocols. It would be great if there was a piece of software that lets you compile your website into something small and distributable but with inbuilt HTTP or something. I don't know. Maybe Visual Studio has something?
You can't use cookies without HTTP, because cookies are an HTTP mechanism.
Instead of cookies, you could use localStorage, which works even with files loaded from file:// URLs (e.g., without a web server) (except on IE — quelle shock!). localStorage is also dramatically easier to use from JavaScript than cookies:
// Save a string in local storage
localStorage.setItem("foo", theString);
// Get it (perhaps on page load)
var theString = localStorage.getItem("foo");
I am trying to accomplish the following:
I want a button on my website that will open a windows program on the users computer. So for example, someone clicks "Remote Desktop" on my website, and it will open mstsc.exe on the machine.
Is this possible with any language?
The way you could do this is via an URI scheme. For that to work though, your application itself needs to have an URI scheme attached to it. Examples include mailto: (opens your email client - can also be a web client such as gmail), irc: (opens Internet Relay Chat client) and an example of a truly custom URI scheme (it isn't listed in the official list) is Github's Desktop application, which uses the URI scheme github-windows:. Again, for this to work, the app itself needs to have this built into itself.
I assume you didn't make this mstsc.exe "Remote Desktop" yourself, it is impossible to start this application in any way whatsoever using just your browser. If that would indeed be possible, it would be a massive security hole. It would mean you could simply run any program (or uninstall file) you'd like.
Note: If you did indeed make the application yourself, I suggest asking another question on this site, but making it specifically about registering custom URI schemes to your application, and also specifying what language your application is written in.
Problem definition:
Server is an embedded system with no access to Internet.
Each server is managed by web interface which uses JavaScript.
Each server has a local copy of JQuery library.
Clients (browsers) are connected to embedded systems (servers) via a very slow connection.
Clients have the latest browsers (HTML5, CSS3, JavaScript 1.8.5)
Clients are not connected to Internet either.
Clients can't access multiple servers at the same time (servers are in distant locations and most probably a client can only access one server and nothing else, but later that day the client may go to another location and connect to another server).
Each server has an IP address (not necessarily in the same range) and no DNS name.
Every time the client connects to an embedded server, it fetches all the files including the huge JQuery library (huge=~90KB)
Question:
The JQuery library is too big for this slow connection but one-time download is acceptable. However, we don't want the clients to download it every time they connect to each new server. The JQuery on all these devices is the same. But apparently the browser cache is domain based. How can we cache the JQuery library so that the client doesn't have to download the JQuery every time it connects to a new server?
just link to it in one place...
for example, if you have a single server, http://1.2.3.4/ that you want to designate as your CDN, put jQuery on it, and link to it in your scripts using <script src="http://1.2.3.4/jquery.min.js"></script>
you could link it to the ip in your link tag. The server does not have to have access to that access or anything, and so all the clients will geht the jquery from the same server all the time and so it is cached.
Here is a simple solution: All your customers must edit their /etc/hosts file (Google for where you can find it on Windows) and put a line like this in their config:
1.2.3.4 jquery-from-closest-server.com
Each client must figure out the closest server which has jQuery and replace 1.2.3.4 with its IP address.
In your HTML code, always use the link http://jquery-from-closest-server.com/jquery.js
To be safe, you may want to register jquery-from-closest-server.com for those customers which do have Internet access.
When the browser asks for the file, it will use /etc/hosts to resolve the IP address. Since the domain name will be the same for all your embedded devices (changes in the IP address are ignored by the browser), the script will be downloaded once for all clients.
Note that this means you can never upgrade to a newer version of jQuery. The problem is that you'd have to replace it on all embedded devices at the same time because there is no telling from which server the customers are downloading it from.
If that bothers you (and it will in about four months after you discovered the first serious bug), here is another solution: Instead of serving the HTML from your embedded device, distribute a static web app (a set of HTML files and JavaScript) which customer can install in their desktop. Use AJAX and iframes to replace parts of the static web app with data from your embedded device.
Advantages:
very fast (no downloads at all)
only little code on the embedded device
easy upgrade strategy
No deadlocks when you need to upgrade either the embedded devices or your controller app.
[EDIT] PS: Consider to compress jQuery with gzip. That leaves you with a 33KB file. All HTML5 browsers can decode compressed files, you just have to tell them by setting the necessary HTTP headers.
Apparently there is no standard way to include JQuery in our project so we chose to replace JQuery with a smaller similar library. These are the options:
JQuery mobile is a better fit for our project since it has a smaller size and can do almost everything we need from JQuery.
Zepto.js is also another suitable replacement.
JQuip is a stripped down version of JQuery that can help our specific project.
I have HTML and JavaScript files on my filesystem for a mobile application that is in development. When the application is deployed to a mobile device, these files will be hosted on the local filesystem there, where XSS from file:// is not an issue. An important part of this application is sending XHR POST requests to a RESTful API.
It seems like XSS should not be a security issue for browsers if the files making the request are hosted on a local filesystem instead of deployed to a web server.
Does anyone know of a browser extension or configuration change that will enable XSS from files hosted on a local file system?
Well, although you will have to change the server and client code a little bit, it isn't very clean and you will have to trust the server, you can load the data as a javascript which contains a call to a function in your page and a big string or so as the parameter. This seems to be a good example.
Alternatively, you could serve the files from a local webserver and fiddle around with the hostsfile and document.domain.
I've found a useful link that's helped me execute POST requests from localhost to another domain. It is a Firefox hack that allows XSS from files hosted at localhost. It's not perfect, but it helps me get this thing developed.
I'm a bit confused about this.
Does XMLHttpRequest work on a remote URL or does it have to be a local file? There seems to be mixed information on the net.
According to w3.org: The XMLHttpRequest object can be used by scripts to programmatically connect to their originating server via HTTP.
But I've seen it used to access non-local web pages (in vista gadgets for instance for rss feeds) without using a proxy...
Enlighten me please!
It depends on the environment. If you run your JavaScript on a regular web page, XMLHttpRequest won't be able to connect to any other site. (That's what w3.org says, and browsers do implement this restriction.) However, in some contexts (such as Vista gadgets and Greasemonkey), it it possible to connect to any site in an AJAX request.
On a standerd web page you cant however in an app with authorised permissions you can such as a chrome extension with the permission "http://*" set. In my opinion this is a stupid restriction for normal web pages any damage/harm that can be done with it could be done using an iframe and the browsers refuse to disable them (long over due in my opinion).