Currently I am in need of being able to tell the difference between a private address and a web reachable one.
I need to be able to test for the following:
You are given a list of ipv6 on an interface and need to know which addresses are web reachable. It is possible for none of these addresses to be non private. If the address is changed, it would be best to be able to track which one (I can figure that out after I have a private address test method).
This is written in javascript on node.js
What you're looking for is the IPv6 scope: "web reachable" are addresses in the global scope. The scopes are described here:
http://en.wikipedia.org/wiki/IPv6_address#IPv6_address_scopes
You could parse the address yourself -- OR you could save yourself some time and use the ipv6 module (npm install ipv6 --save):
var v6 = require('ipv6').v6;
var addr = new v6.Address('2001:db8:85a3:8d3:1319:8a2e:370:7348');
if(addr.getScope()==='Global'){
console.log('valid global ipv6 address');
}
Disclaimer: I don't really know that much about IPv6...but I'm figuring it out. I found this discussion of the different scopes useful, by the way:
Link-local and global IPs on IPv6 interfaces
I'm working with the following assumptions:
you're using appropriate standards to define private vs. web-reachable
for our purposes web-reachable means not private
in particular, we're only interested in the format of the address, not whether a device will actually respond at that address
... with those assumptions, it should be fairly easy. According to this page (which links here), you just have to test that the address starts with fd1, perhaps with the regular expression /^fd1/, to confirm that it is a private address.
Likewise, according to this page, you can test for 0:0:0:0:0:0:0:1 or ::1 for the loopback address.
Related
Can you share your views on Creating a private and protected members in Javascript.
I mean really protective not just convention like Douglas Crockford said.
Do not use _ (underbar) as the first character of a name. It is sometimes used to indicate privacy, but it does not actually provide privacy. If privacy is important, use the forms that provide private members. Avoid conventions that demonstrate a lack of competence.
"use strict";
function MyMain(){
this.checkauth=false;
}
MyMain.prototype.init=function(){
return Object.create(this);
}
MyMain.prototype.authenticate=function(key){
//resp is server response hold true for the given key. here validate method will interact with server and get concerned response
var resp=validate(key);
if(resp){
this.checkauth=true;
return true;
}
return false;
}
MyMain.prototype.test=function(){
if(this.checkauth==true){
console.log("this is working")
}else{
console.log("Not authorized")
}
}
Well i failed in explaining see the Edit i have made.
i have no intention of making authorization on client side. I made it on server and making private member true saying server has validated the user and my question is how to make this secure.
and users who have access to my Javascript file can read all of it and authenticate like this.
var main=new MyMain();
main.checkauth=true;
main.test();
Looking for help on creating secure authentication via javascript.
While there are various ways to mask variables and make then tricky to access, the main benefits of these techniques is that they stop you from accessing them by accident.
The owner of the browser has access to all of the code and all of the data that you send to the browser.
You can't stop them accessing it.
If you want to do secure authentication then you must do it on the server.
i have no intention of making authorization on client side.
If you weren't doing authz client side, then users setting main.checkauth=true; wouldn't be a problem for you.
You need to not send the data and JavaScript that should be available only to authorized users if the user isn't authorized. At the moment you seem to be authorizing on the server but sending all the data/JS that is for authorized users to the client regardless (just with a little bit of client side code that says "Please don't look at this").
I am simply trying to achieve something like this:
function getIp() {
var urlenter = document.getElementById('io');
var IPOUT = urlenter.IpAdress !------HERE!!!!!!!!------!
location.href = IPOUT;
}
so if I typed 'facebook.com' in 'io' it would set the href to the ip adress of facebook.com
JavaScript doesn't have any concept of hostnames or IP addresses. You would have to use an external service to resolve an IP address from a hostname.
That's not possible with JavaScript alone.
The resolving between IP addresses and hostnames are handled at the DNS level, which is way before JavaScript ever comes to life. It only gets to know the host it is connected to, whether that is by an actual hostname or an IP address.
Still though, you could have JavaScript connect to an outside service, e.g. your server via Ajax, and have it make the resolving.
I am new to web servers and node.js and I need some help.
I have no idea what to put in the .listen();
I think since I want it to connect to the internet the server needs to listen to port 80 but but I don't know what to put as the second value.
.listen(80, "What do I add here?");
Also i have a free domain name (www.example.co.cc) that is pointing to a dynamic dns (DnsExit) since I dynamic ip. I installed to program needed to update my ip address.
Is there anything I am missing?
Have you seen the example on the homepage of the Node.js project?
http://nodejs.org/
It clearly demonstrated .listen( 1337, "127.0.0.1" ); and then the next line reads Server running at http://127.0.0.1:1337/ - so the second argument is the IP you want to listen on. If you then take a look at the documentation you will see that this second argument is actually optional, if you omit it, Node.js will accept incoming connections directed at any IPv4 address.
http://nodejs.org/docs/v0.5.6/api/http.html#server.listen
just wondering. Isn't this considered a threat?
Let's say that 192.168.0.1 is a networkrouter with a administrationpanel on port 80. If you get a user to execute a similar snippet, wouldn't you be able to "bruteforce" the password? Considering network devices like networkrouters often feature default usernames and passwords.
<script>
function imgerror(data)
{
alert('The following '+data.src+ ' failed due to wrong password/username.');
}
</script>
<img src="user:password#192.168.0.1/menu_button.gif" onerror="imgerror(this)">
menu_button.gif is in this case a button used in the administrationpanel - and protected by http basic authentication.
It would only be a vulnerability if the developer/network administrator didn't care about security on their network.
It is VERY old idea http://web.archive.org/web/20070315010517/www.spidynamics.com/spilabs/js-port-scan/
javascript:var i=document.createElement('IFRAME');i.src='http://192.168.1.1/';document.body.appendChild(i);void(0);
Try this one, and find crossnetwork warning in the iframe below*.
requires aware UA :)
Techniques varies, the essence is the same - to execute script at the trusted side of firewall
This is possible, even more sofisticated with some more lines of JS/Ajax (see XXS).
What that means is you cannot trust NOBODY, even in your own network. If you cannot trust nobody and you have a basic security schema (as basic http authentification) you must use hard breakable passwords or if security is an issue (most private users do not know what security means at all) you MUST apply secure protocols.
If you use standard or blank passwords is leting the door open.
I was wondering if it was possible to grab the username of the account logged into the computer. I wanted to print the username of the person that is printing out the pdf file.
I was thinking about trying to grab the %username% environment variable. Does not seem to be possible.
In Acrobat JavaScript, many local system parameters are considered privileged. The user's login name is one of these. In order to access the "identity" object the JavaScript code has to be executed from a trusted context. Code inside a PDF doesn't qualify. Or at least it doesn't normally. If the local system user has given explicit permission to the PDF, then it can access privileged data. But obviously this isn't a general purpose solution. Typically the "identity" object is only accessible to Folder Level Automation scripts.
Thom Parker
www.pdfscripting.com
take a look a the identity object.
name = identity.name; //gives you the user name that the user entered in the Identity preferences panel
userName = identity.loginName; //login name as registered by the operating system
This may be possible to some extent server-side. Here's an NTLM auth module for Apache/Unix, and here's one for Apache/Windows.