Create ActiveXObject on *server* - javascript

I have created a little html stub that allows a user to compare various spellers. I would like to include the Word speller and I have written code in a .js file to create an ActiveXObject thus:
var wordApp = new ActiveXobject("Word.Application");
This works fine on my local machine but I get the dreaded 'Automation server can't create object' error when I try it on other machines. I have searched and read the various articles on the topic and I understand that what I am trying to do is very,very bad, not safe, doesn't work on any browser than IE, and so on. This is for an internal test app in a trusted environment and all I want is for others to be able to access the page and see the result without forcing them to make extreme changes to their security settings.
So, here is my question. Is there a way that I can get this to run server side on my machine running IIS and hosting the website? Ideally I would like to be able to insert my HTML into an aspx file and, when the submit button is pushed, have it either run all the javascript on server side or at least run the portion that calls the activeX code. If this isn't feasible, can I migrate the specific functions that call the activeX and get the data to C# or VB and still run the safer functions in JS?
Thanks for your advice!

Related

Altering a server file through javascript code

So I have a setup of a tablet connected to a Raspberry Pi computer. I want to be able to have a webpage hosted on the Pi change the contents of a file also hosted on the Pi (which will be used in a python script that i have written). I tried having the file inside a hidden iframe, but while my javascript ran, it didn't ever actually change the contents.
How can i set up communication between the webpage and the server files? I know nothing about jQuery in the slightest, but if i have to use it, I will.
While you can actually do something with files in HTML5, you must know that Javascript is a client-side script. In other words JS 'runs' on the persons browser and not really your server.
Languages like PHP actually run on your server, and therefor are able to achieve what you want.
I'm not THE Javascript expert, and you might even be able to modify a server file with JS but it will be 'hacky' and have a poor implementation and you might need to run a sort of API on your server that actually does the changing..
Save yourself the trouble of doing it like that and pick the right language for the job. I would suggest PHP. Its fairly easy to set that up and run the website. PHP has enough ways to create, view and modify files on the server itself: http://php.net/manual/en/book.filesystem.php

making exe form HTML and Javascript

I was wondering I have PHP based server side stuff that accepts ajax requests and sends back JSON for JS. And I have HTML and JS based "client" now I would like to create exe(windows aplication) that would look the same as the "client" in browser but without browser. Preferably somehow grab that HTML and JS and "compile it" to regural client that would still send out AJAX calls and procesing JSON data.
Edit:
To clarify things:
Server(on webserver) is PHP procesing incoming AJAX calls and diplaing JSON as result.
Client(what I want to convertt to exe) is HTML and JS(Jquery) page(application).
I want for user to have option two to dowload client for windows so he/she dont have to use browser.
With https://electron.atom.io/ from Github you can develop Windows, Mac and Linux applications with Javascript, Html and CSS. You can also build mobile application with your web development skills. https://cordova.apache.org/.
You can use Electron, but if you just want something quick and easy to use, try Scriptonit. It's exactly for this kind of use. (Check out the documentation and the examples to see if this is the one for you.)
It's basically one exe plus a few sidecar files in a folder called app/, then it just works like a local browser without the frames & head. Also, it can access local files and run OS commands, even capture their output.
Side note 1: Yes it's mine, as you can see on the link - but no, that's not why I'm recommending it
Side note 2: It's 0.9 so it's not perfect, let me know if it misbehaves.
I don't think you can make a desktop application with markup languages. but then am also a newbie in this stuff but what I think you need is to develop a GUI in a programming language like java for example Swing docs.oracle.com/javase/tutorial/uiswing/ to mimic the apearance of your webpage. Then connect to your server by socket programming.

How to check the authenticity of a Chrome extension?

The Context:
You have a web server which has to provide an exclusive content only if your client has your specific Chrome extension installed.
You have two possibilities to provide the Chrome extension package:
From the Chrome Web Store
From your own server
The problem:
There is a plethora of solutions allowing to know that a Chrome extension is installed:
Inserting an element when a web page is loaded by using Content Scripts.
Sending specific headers to the server by using Web Requests.
Etc.
But there seems to be no solution to check if the Chrome extension which is interacting with your web page is genuine.
Indeed, as the source code of the Chrome extension can be viewed and copied by anyone who want to, there seems to be no way to know if the current Chrome extension interacting with your web page is the one you have published or a cloned version (and maybe somewhat altered) by another person.
It seems that you are only able to know that some Chrome extension is interacting with your web page in an "expected way" but you cannot verify its authenticity.
The solution?
One solution may consist in using information contained in the Chrome extension package and which cannot be altered or copied by anyone else:
Sending the Chrome extension's ID to the server? But how?
The ID has to be sent by you and your JavaScript code and there seems to be no way to do it with an "internal" Chrome function.
So if someone else just send the same ID to your server (some kind of Chrome extension's ID spoofing) then your server will consider his Chrome extension as a genuine one!
Using the private key which served when you packaged the application? But how?
There seems to be no way to access or use in any way this key programmatically!
One other solution my consist in using NPAPI Plugins and embed authentication methods like GPG, etc. But this solution is not desirable mostly because of the big "Warning" section of its API's doc.
Is there any other solution?
Notes
This question attempts to raise a real security problem in the Chrome extension's API: How to check the authenticity of your Chrome extension when it comes to interact with your services.
If there are any missing possibilities, or any misunderstandings please feel free to ask me in comments.
I'm sorry to say but this problem as posed by you is in essence unsolvable because of one simple problem: You can't trust the client. And since the client can see the code then you can't solve the problem.
Any information coming from the client side can be replicated by other means. It is essentially the same problem as trying to prove that when a user logs into their account it is actually the user not somebody else who found out or was given their username and password.
The internet security models are built around 2 parties trying to communicate without a third party being able to imitate one, modify or listen the conversation. Without hiding the source code of the extension the client becomes indistinguishable from the third party (A file among copies - no way to determine which is which).
If the source code is hidden it becomes a whole other story. Now the user or malicious party doesn't have access to the secrets the real client knows and all the regular security models apply. However it is doubtful that Chrome will allow hidden source code in extensions, because it would produce other security issues.
Some source code can be hidden using NPAPI Plugins as you stated, but it comes with a price as you already know.
Coming back to the current state of things:
Now it becomes a question of what is meant by interaction.
If interaction means that while the user is on the page you want to know if it is your extension or some other then the closest you can get is to list your page in the extensions manifest under app section as documented here
This will allow you to ask on the page if the app is installed by using
chrome.app.isInstalled
This will return boolean showing wether your app is installed or not. The command is documented here
However this does not really solve the problem, since the extension may be installed, but not enabled and there is another extension mocking the communication with your site.
Furthermore the validation is on the client side so any function that uses that validation can be overwritten to ignore the result of this variable.
If however the interaction means making XMLHttpRequests then you are out of luck. Can't be done using current methods because of the visibility of source code as discussed above.
However if it is limiting your sites usability to authorized entities I suggest using regular means of authentication: having the user log in will allow you to create a session. This session will be propagated to all requests made by the extension so you are down to regular client log in trust issues like account sharing etc. These can of course be managed by making the user log in say via their Google account, which most are reluctant to share and further mitigated by blocking accounts that seem to be misused.
I would suggest to do something similar to what Git utilises(have a look at http://git-scm.com/book/en/Git-Internals-Git-Objects to understand how git implements it), i.e.
Creating SHA1 values of the content of every file in your
chrome-extension and then re-create another SHA1 value of the
concatenated SHA1 values obtained earlier.
In this way, you can share the SHA1 value with your server and authenticate your extension, as the SHA1 value will change just in case any person, changes any of your file.
Explaining it in more detail with some pseudo code:
function get_authentication_key(){
var files = get_all_files_in_extension,
concatenated_sha_values = '',
authentication_key;
for(file in files){
concatenated_sha_values += Digest::SHA1.hexdigest(get_file_content(file));
}
$.ajax({
url: 'http://example.com/getauthkey',
type: 'post'
async: false,
success:function(data){
authentication_key = data;
}
})
//You may return either SHA value of concatenated values or return the concatenated SHA values
return authentication_key;
}
// Server side code
get('/getauthkey') do
// One can apply several type of encryption algos on the string passed, to make it unbreakable
authentication_key = Digest::<encryption>.hexdigest($_GET['string']);
return authentication_key;
end
This method allows you to check if any kind of file has been changed maybe an image file or a video file or any other file. Would be glad to know if this thing can be broken as well.

How to execute shell scripts from a web page via javascript/jquery and get its results in a string?

in a simple html file opened locally via firefox I need some javascript code to execute a command (maybe "ls") and get it's result in a string I can use in js/jquery to alter the page contents.
I already know this is a generally bad idea, but I have to make this little local html file capable of running several scripts without a server and without cgi.
In the past I've used to install a plugin in TiddlyWiki (www.tiddlywiki.com) to execute external commands (firefox requested authorization for every operation), so javascript can do it, but how to get command result in js after execution?
I don't believe there's any way to do this without a cooperating browser plug-in. The browser plug-in would be told what command to execute via javascript, it would go execute that command and then call you back with a callback when the results were available. This could be very dangerous as giving the browser access to your local system in almost anyway opens you up to lots of types of attacks (which is why browsers don't offer this capability).

JavaScript logger into a rolling file

i've a JavaScript application.
I'd like to use a logger but instead of logging to a console (like Firebug or Yahoo UI), I'd like to log to a file or several files.
Ideally, It should be possible to back up the files when they reach a certain limit.
thanks.
Writing to a file on the client machine is not generally possible via JavaScript running in a web page. It can be done in IE using ActiveX (when the user has allowed it) and I think also in Firefox when the user has enabled an obscure setting, but is generally not possible. There are various questions about this in Stack Overflow. For example:
Is it possible to write to a file (on a disk) using JavaScript?
Read/write to file using jQuery
Bearing that in mind, it has never seemed worthwhile implementing a local file appender in log4javascript. If you do want to log to a file, I would suggest using the AjaxAppender to send log messages to the server and log those messages to log4j / log4net / log4php / whatever set up with a rolling file appender.
You may want to check out log4js. It is a logging API based on the popular log4j framework. It is an open source project, using the Apache License 2.0.
You may also want to check out the log4javascript project, written by the Stack Overflow regular #Tim Down.

Categories

Resources