Block access to WebService.asmx in asp.net - javascript

I have built a simple asp.net web application running asynchronously, using WebService.asmx file to access the database. I need to secure the file so clients won't be able to access it, but only the javascript code through an http request. (the file is located on domain.com/WebService.asmx).
I read that people suggest using a user authentication system yet this is not applicable (because it can be easily manipulated).
My final goal is to block the access to the WebService.asmx file from anywhere but the javascript file.
I'm using visual studio 2013 but the app will run on a Windows Server 2012.

In short, you can't.
Javascript runs on the client, in the browser.
Calling a asmx webservice through Javascript is no different visiting the URL in your browser (or any other client - Postman / Fiddler for example)
The server won't know any different.
Secure it appropriately.

Related

How to read and write to local text file from a localhost server (preferably using Node's fs module)

I'd like to find an easy way of reading and writing files (stored locally) from my program running on a localhost server. If I use const fs = require(fs) it can't find the Node module from the server. This makes sense. Is there any way of accessing that file from my javascript easily, with similar functionality to the fs module?
It appears that you aren't quite understanding how the client/server architecture works for an http server and the browser.
There's an http server that runs in nodejs. That has access to the local file system using the fs module. This is server-side code that runs in the nodejs execution environment.
There's an http client (the browser). It makes an http request to your server, the server sends back an http response and the browser gets that response and processes it. If the request is for an html page, then the browser gets that HTML, parses it, displays it and then runs any scripts embedded in the HTML page. The scripts running in the HTML page are running in the client/browser (not on the server).
Javascript running in the browser does not have access to nodejs modules like the fs module. It only has access to the libraries that the browser makes available. Absent special browser add-ons (with elevated privileges and associated security risks), scripts running in the browser in HTML pages do NOT have access to the local file system. This is for security reasons as you don't want random web pages that just happen to click on to have access to anything on your local hard drive.
So, you generally do not access local files from your browser Javascript. Instead, you either store data in LocalStorage and fetch the data from that or you store the data on the server (on behalf of the specific user) and that data is either included in the web page (so the Javascript running in the web page can use it) or the data can be requested from the server by the browser Javascript (using Ajax calls).

Get element by name in express/node

I'm creating an express/node app and I want to get an element by name but the server crashes when I use document.getElementsByName() so how can I get an element by name on express/node?
The document object that has document.getElementsByName() is something that Javascript that runs in a browser can use. Javascript that runs in nodejs cannot use that as the document lives in the browser, not in nodejs.
It appears that you may not quite understand the client/server nature of the web. A user starts up a browser that runs on their computer. When you type an URL into the URL bar in the browser and hit enter, it sends a request to a web server (a different computer usually off somewhere else on the internet). That web server receives the request, looks at what the path of the URL is and any parameters on the URL and then sends back content.
If what the URL represented was an HTML page, then the browser (running on the end-user's computer) takes that HTML page, parses it and displays it in the browser. If there are any references to other resources such as images or scripts, then the browser also requests those from the server.
If there is Javascript in the web page, then the browser runs that Javascript in the browser. It is this Javascript where document.getElementsByName() can be used. This is not nodejs Javascript, this is Javascript meant to run in the web page.
Where people occasionally get confused is that webpage Javascript actually lives on the server's hard drive somewhere. When the browser requests that script or that webpage, the nodejs server gets that request and sends the webpage or the script back to the browser. So, while the webpage script lives on the nodejs server, it does not actually run there - that's just where it is stored so that it can be sent to the browser when requested. When it runs in the browser, it can only use browser APIs, not nodejs APIs.
The Javascript in your nodejs server itself runs on the server. It can only use nodejs APIs, not browser APIs. So, that's why nodejs Javascript cannot use document.getElementsByName(). That only runs in the browser.
Node.js does not run in a browser, thus there is no 'document' element in the first place. If you are asking how to parse an HTML file on the server side that's a different question.

Loading .html and .js with websockets

I have the idea of having something like a web server but without a web server. Instead I want to use websockets. Is for internal use.
The user will have a basic webpage which will only open a websocket connection and should receive an .html, and immediately navigate to it.
Also it should be able to load a .js with helper functions for this new html.
I saw here something to load an image file
http://liamkaufman.com/blog/2012/02/11/12-pushing-files-to-the-browser-using-deliveryjs-socketio-and-nodejs/
but I don't know how to navigate to a received .html file and how to execute a received .js file.
Do not try to convince me of using a webserver or other technologies, I have my reaasons for doing this :-)
Thanks
Using a websocket inherently means you need to use a server. A websocket is be definition a connection between the client and the server.
From here
WebSockets is an advanced technology that makes it possible to open an interactive communication session between the user's browser and a server. With this API, you can send messages to a server and receive event-driven responses without having to poll the server for a reply.
Regarding running a javascript file that you have downloaded, you can use eval, or you can create a new script tag on the body to load your javascript.

Reading and writing client files from a web application

I need to implement a mechanism in order for a remote web application to communicate with a local desktop (WinForms) application that I cannot modify nor have the source of (except by decompiling). This happens by writing a file to the temporary folder that the desktop application will consume, and waiting for that application to "return" by writing another file into temp folder. Folder has to be temp folder.
Question
Is there a Javascript way to access the file system in a non sandboxed way, even by setting specific browser configuration options?
Environment
The application runs on a private LAN where all computers trust each other within the same AD domain. Plus we are theoretically allowed to map any network drive on any computer. Working in the trust zone, we don't have to care about most security concerns.
Background explanation
I have a PowerBuilder desktop application that I need to "port" to web (using J2EE) and install to a separate server, local to the same LAN. This application (named GP) currently starts a process of the child application (GC) that will not show any UI, instead it will listen for two files on a temporary directory.
When GP needs to open a window from the GC process, it will write two files: GP_to_GC.txt with a syntax I have documentation of, and GP_to_GC.flg that serves as flag file. GC will delete both after retaining and parsing the content of txt file, thus showing the appropriate UI form based on input.
The "return" is exactly the opposite. GC will write a pair of GC_to_GP files to temp and GP will refresh its views.
How can I do this with JavaScript?
Based on what I'm reading, you are porting a Desktop based Java EE application to a web application? If so, then you can continue using Java and access the folder that way; no need to use JavaScript.
What is unclear is that you're saying you can't modify anything, yet you're trying to port an application. Which is it?
If you can't modify anything, and the only thing you can do is drop JavaScript into an existing web application, then your solution is rather simple:
Create an HTTP API application that sits somewhere that has access to those folders, and issue a POST request to that API that will then read and write to the file system. It can be in any server side language you choose: Javascript (Node.js), C#, Java, PHP, whatever. It simply needs the ability to access the file system through the webserver, and most frameworks provide that capability.
I can't give you any code because you haven't mentioned which server side language you want to use to accomplish this approach.

Hiding Parse javascript SDK files and blocking client from running js

I'm working on a Parse web app and have run into some problems using the backbone.js based client side javascript sdk. I noticed the way I have things set up, the client can view all of my source code by simply using the dev tools to view source files and can also run code against the database (within the limits of the ACL's I've set). I've started working on rebuilding the app in cloud code using the Express.js module Parse provides so that all of my code is stored server side, but I was wondering how those using client side frameworks get around this obvious problem.
That's the issue with client-side code. Assume any code you send to the client is hacked, broken, and tampered with.
With JavaScript, your best bet is to use either Cloud Code and send AJAX or streaming data calls to the server, retrieve the data from the server at runtime (not super secure, but would fool some people), or accept that your code is vulnerable.
I typically work with frameworks in the MVC format, so I only expose a limited subset of the actual model via a REST API. I use both a client-side framework and a server-side framework. Any thing sensitive goes on the server.

Categories

Resources