How to hash/encrypt string value in JavaScript? I need a mechanism to do so for hiding some data in localStorage/cookie?
It is something related to security concern but I want some protection for my data.
There are lots of encryption libraries for javascript. Here's the first one that came up on Google: http://crypto.stanford.edu/sjcl/
Your user can always gain access to the key, so this won't protect data from your user. If you want to hide things from the user, you'll have to encrypt it on the server and never send the key to the client.
Related
I want to encrypt my API data so that the user can't see it in the network tab or as plaintext in something like the window.__nuxt__ object.
The way I'm doing this now:
encrypt data in back-end with a secret string (like a password)
send encrypted data to front-end
decrypt it on client-side (using the same password as in the back-end)
Here is the problem: The function that decrypts my data can be found by looking through the bundled JavaScript files in the Browser.
Although the function is obfuscated, it is possible the reverse engineer it. And since the password is stored within the function (it has to be, right? Since I don't have the process.env variables on the client-side) everyone can(theoretically) scrape my data.
What is the best way to prevent this?
I know that the data is visible eventually in the browser. I just don't want it the be visible in plaintext.
I'm using express in the back-end and NuxtJS in the front-end by the way.
There's no way to prevent this. All you can do is make it more difficult.
Ultimately, if the data is visible to the user in the browser, you can just get it from the DOM in memory. All the code to transform the encrypted data into the original information must be supplied if you need the user to see the data.
You can obfuscate the code, but your attacker doesn't even need to reverse engineer it to get the data, they just need to run it.
I want integrate on-line payments with my web (html + jquery). Easiest way is just send form on specific link. One of parameters is signature. Signature is hash from from fields and private key. Problem is I don't wanna expose my private key in javascript code. Is any secure way to do it?
Here is test code for form:
http://developers.payu.com/en/restapi.html#creating_new_order_form
and signature generating algoritm:
http://developers.payu.com/en/restapi.html#references_form_signature
Short answer is... No. Well, maybe but not really.
You cannot do the whole process in Javascript securely as it requires you to load the key into the users browser. That's an instant security game over.
What you can do is have a server (key store) somewhere that holds your private key and encrypts messages on demand. That would prevent end users seeing your private key, but it just moves the problem down the line - how do you know that the browser making the request is a genuine user and not someone malicious? If you just sign anything you're presented, you may as well skip the security entirely. If you're going to have a server anyway, why not use it to serve the webpages and validate form data too?
So really, you need something server-side that validates user input, checks that it's sane/untampered and then signs the message and passes it on.
You have to ask yourself why you need to do this from within a browser... The whole point of signing a message is to prove who it comes from. If it's coming from someone else's browser and you know nothing about the message, why would you sign it as authentic and coming from you?
I am attempting to 'secure' (as I know it won't be very secure) the data in a indexedDB on the client side for an OFFLINE WEB APP (i.e. anyone who is attempting to access the data will be able to see the encryption method used so I am aware that makes brute force pretty damned easy!)
I am going to encrypt it using the Username and Password as that is the only thing I could possibly keep secret.
There are loads of ways to do this, however I have one requirement that has me stumped - I need to maintain the ability to be able to search the database.
Can anybody point me in the direction of how I can encrypt data but still be able to search it.
The encryption doesn't have to be bank-level security by any means, just want to protect the database in case a tablet etc. got lost so that 99% of people wouldn't be able to view the data directly.
You can try my library, ydn-db. For encrypted, you can only search by primary key only thought.
Is there any way that i can (securely, base64 ruled out) encrypt data in javascript without using encryption keys. I know its unlikely, because my encryption engine would be available, but does anyone know of any method that can be used
EDIT:
Upon request, i am trying to hide data that a user entered into a textbox before it gets submitted. The data is completely random and the user will never be asked to write it again. Its not a password, its essentially like a post
No.
You need keys for encryption to be secure.
If you don't have keys then either nobody can unlock it or everybody can.
I think it would be more helpful if you explained what you were trying to accomplish. What are you trying to protect? Who are you trying to protect it from? Where are you sending the data?
If you are trying to hide something from the client, encrypting it on the clients machine means you would never be truly secure.
If you are trying to have the client send encrypted data to a server of yours, why not just use SSL? This is far easier.
Why not HTTPS?
What's the source of the data and where is it going? What's the difficulty of using keys? Again, why not HTTPS?
NEVER trust client-side data! ALWAYS presume can be deleted anytime and user can access and edit it anytime.
How can I store data on the clients side securely (not viewable/visible) in javascript.
In particular, I want to grab an array from the database with PHP and then use that array for autosuggestion data. Currently I am setting the array as a JS variable, however it can be seen in the html page source code.
I have looked at autosuggestions online and came across: http://www.brandspankingnew.net/specials/ajax_autosuggest/ajax_autosuggest_autocomplete.html
I cannot find where the autosuggestion data is being stored, which is what I want for my script. Help!
No, what you are trying to do is impossible. Javascript is being run by the client and thus the client has absolute control over the data. If you are trying to store a secret in javascript then an attacker can use a debugger to see it in memory. But this is the worst case. Its easier a lot easier to manipulate the traffic with TamperData, or manipulate the javascript directly with Greasemonkey.
If it is sensitive data like usernames or passwords, you shouldn't auto suggest anything. If it is not sensitive data, the AJAX solution from your link is the obvious way to go, but you could easily store it in a cookie if it is not more than 4kb, or in various cookies otherwise.