Is there a way to tell debugging tools (firebug and the likes) never to be enabled for your website regardless of user's browser configurations?
no.
client is free to do whatever it sees fit with your javascript. You may try to obfuscate - but this is not effective against determined developers
Scripts, HTML, CSS, Images everything is loaded to the client before the page opens. So he can do anything he likes with what he has in his system. There is no way to disable it.
Even If there is a possibility of doing such, he can remove that as well.
So, basically its a wasted effort.
Related
I'm investigating something and it led me to a website online.
I haven't yet visited the website because I have reason to believe that it may have malicious content.
I know that in Google Chrome, you can view the source code of a webpage by pressing Ctrl-U. Unfortunately, that requires having visited the page.
Then I discovered that you can get the source code of a webpage without visiting it by adding view-source: before the https:// part of the URL.
So I can view Wikipedia's home page source code with view-source:https://www.wikipedia.org.
I want to do the same with the potentially malicious website but I don't want anything to happen to my computer. The only person I could consult regarding the website said that it "tracks the hell out of your computer". While whomever they heard that from does have a background in network engineering, they themselves don't, so I don't have any detailed information about it.
I know that basically all websites "track" you, i.e., gather information about your computer, such as its IP address, window resolution, user login, etc. by installing cookies on the user's computer to be requested later upon the next visit, but I don't know much about how far those abilities can extend.
I also found out from somewhere (I may be wrong) that there is a difference between "view page source" and "inspect page source" because the first one gives you the raw source code before any JavaScript is applied and the second one is available once you're on the site and any applicable JavaScript has already been applied and you can see its results.
Based on that, I'm assuming that it's perfectly safe to use the view-source: technique if I don't care about the results of the scripts on the page.
So essentially, I need to know these things:
Is it really perfectly safe to use view-source:? I'm assuming not, so I'd like to know exactly what risks I'm taking and what risks I'm avoiding by doing this. EDIT: Forgot to mention. Does the website know that I'm viewing its source code, and does it by that fact know that my IP address requested its source code?
Assuming I can read the JavaScript scripts, can I get a general sense of what the scripts do by reading what I get from view-source: alone, or can a webpage access scripts from other webpages without them explicitly being written on that page? (I'm assuming they can do that since I see hyperlinks on other websites ending in .js that I can click on revealing more JavaScript scripts) Note: I don't really care what the content of the webpage is in terms of what an ordinary user sees, since my investigation already knows and/or doesn't care about what is on it, I just care about what the webpage does in terms of tracking users.
What can "tracking the hell out of your computer" entail exactly? In other words, what are some worst-case scenarios? No scenario is too outlandish; part of my investigation is to learn about this kind of stuff since it will help us down the line.
The general answer is to just disable javascript and cookies in your browser first.
Generally yes it's ok to view source, especially if javscript is disabled prior.
You can if their scripts are readable, many sites however will minimize the code, which is generally not very readable.
If javascript is disabled it's likely that their tracking would not work or at best be incomplete.
I ignore the "how to ask" topic from above for now to answer your question.
What I am not sure whether Stack Overflow is the right site for it in Stack Exchange.
The question is basically what threats you suspect from your "potentially malicious page".
If your concerns are mainly about privacy, it might be OK to take the risk.
Sometimes I even just use "incognito mode", despite I know about it flaws, if the threat I suspect is limited.
If your concern is that the page code might try to elevate privileges out of the sandbox using security issues in the browser or more, you would basically trust the security implementation of the same software, which the page is trying to "hack in".
For the latter I at least use a read-only VM with minimal software and network access or, when it is about a serious threat, e.g. a ransomware, really an old notebook, which gets installed before and wiped after or even the hard-disk destroyed afterwards.
And even with the latter, I am taking the risk, that something might have modified the BIOS.
Well let's say you have a virus that you designed yourself on your computer using JavaScript. If you save the source code of the virus as a .js file on your device, your device will not be harmed because it has not become a virus yet, or in other words, it has not been run. Now let's consider that you have browsed a malicious site, but you do not realize that since you visited the site and the browser has turned on the source code of the site, i.e. The browser has edited the virus or ran it, but if you view the source code of the site via view-source: the virus will not run even if it exists because the browser has not translated the site yet, meaning that it is practically still closed and you have never visited it only you It shows the source code of the site and does not go to the site, it's like an apk file that has not been installed yet. I get my point
This question already has answers here:
How to detect if browser console / inspector is *open*?
(3 answers)
Closed 3 years ago.
I've been searching high and low but all I could find are ways to detect chrome Dev Tools and FireBUG Dev Tools. Is there a way to detect, on Firefox, that the Inspect Element/console/Dev Tool is open?
It is impossible to actually hide your client side source code without actually removing said code from being accessed client side. The simple reason for this is the fact that the code has to be downloaded to the client for it to be used. Once downloaded, it's visible to the user. No exceptions. You can do things like 'security through obscurity', but that too is not going to prevent people from downloading/viewing the source. It's just going to make the code harder to read.
If you want to prevent users from seeing your code, you're basically forced to handle the parts of the code you wish to hide server side. This way, only the input and output are visible to users, while hiding the logic that processes it.
There are some other tricks you could potentially do to make it harder to acces your code (not impossible by a long shot), but I wouldn't recommend those either. Those are usually reliant on browser security settings, easily prevented through broswer add-ons, etc.
If instead you want to prevent users from seeing your code, because you're handling security sensitive operations client side, I suggest you go back to web development 101 and check why that's an inherently bad idea.
EDIT: To purely detect if DevTools is open, you can use this: https://github.com/sindresorhus/devtools-detect and simply follow the readme.
Is there any possibility to set the Internet Explorer settings by running Javascript file..?
I want to set the following settings in IE through javascript/Jquery
Go to, ‘Tools’ -> ’Internet options’.
Under ‘General’ tab, click the ‘Settings’ button in the ‘Browsing History’ section.
Choose the radio button "Every time I visit the webpage".
Click ‘OK’ and restart the IE.
This is not possible - it'd be a bit of a security hole if sites were able to do this...
Firstly, the short answer is no: You can't do what you're asking for.
Javascript within the browser is heavily restricted to only being able to access resources for the actual page being viewed. This is an important security feature.
You cannot access other pages or other tabs. You cannot access parts of the browser UI outside of the page itself. You cannot run external programs.
Even if you could, the way you've described it wouldn't work anyway: The settings page you've described is specific to one particular version of IE. So your hypothetical program wouldn't work in any other browser or even any other version of IE.
However, more importantly, you need to ask yourself why you're asking for this.
The thing is that you're trying to solve a problem with your site. You've found something that resolves it, and you've asked a question about how to automate that. But you need to work backward a bit -- stop trying to work out how to automate this particular solution: you need to ask yourself whether there might be a different way of solving the original problem, which could be automated.
The fact is this: the config setting you're trying to change is for handling how the browser deals with caching of files. There are ways of changing the behaviour of caching that can be scripted by your site. You might want to look at questions like this one for example.
The lesson here is this: Don't simply ask how to do something; explain why you're trying to do it as well. There might be an alternative solution that's better than the one you've thought of.
No, it's not possible to do using JavaScript.
This is not what Javascript designed to do. There is only a way to read browser setting from JS - using signed scripts.
Is there a way to hide the google toolbar in my browser programmable?
You haven't said which browser you are using so I'm going to assume Internet Explorer* and answer No.
If JavaScript on a web page could manipulate the browser, it would be a serious security hole and could create a lot of confusion for users.
So no... for a good reason: Security.
*. If you were using Firefox, and were talking about JavaScript within an extension to manipulate and theme the window chrome then this would be a different story.
I really think that it is imposible to do that with javascript. This is because javascript is designed to control the behaviour of the site. And the browser is not part of the site.
Of course maby you are talking about some other Google toolbar then the plugin in the browser.
As far as I know, you cannot access these parts of the browser due to security issues. But you can load new browser windows without toolbars as such. I don't know exactly how (hopefully other users will help yout out), but maybe start here: http://www.experts-exchange.com/Web/Web_Languages/JavaScript/Q_20782379.html
(PS: I know, it's experts-exchange, but I'm not going to copy someone elses work, even if it's posted on EE).
I'm thinking this might be a quick and easy way to lower the form spam on our site just a little bit. The idea being that (I have read) spammers aren't running with javascript enabled. (Or at least they are accessing your website without running javascript. I.e., they aren't browsing up to it in IE or FF.
I can use .asp or .aspx.
The simplest way is to set a cookie via javascript and check for it on postback.However, if you're looking to minimize spam you should actually have the browser perform a simple task which requires javascript execution. See Phil Haack's "Invisibile Captcha Validator" control, which has since been included in his Subkismet library: http://haacked.com/archive/2006/09/26/Lightweight_Invisible_CAPTCHA_Validator_Control.aspx
In .net, you can use Request.Browser.JavaScript to detect if the browser supports JavaScript. However, the user may still have Javascript disabled. An ugly way to check to see if Javascript is enabled, is to use window.location to redirect to page.aspx?jscript=true, and then check Request.Querystring for that value.
So, you want to force users to use JavaScript in order to use your site? I'd rather just use a simple Captcha. If you aren't a big-name site, you can get away with some relatively simple Captchas.
That's how we reduced spam at our site.
To be honest, you shouldn't need to use a server-side language to detect javascript, and furthermore spammers are not necessarily not running javascript. (sorry about the double-negative) Your objective is good, but your approach is wrong - implementing a CAPTCHA, as suggested by a few of our peers, would be a great way to handle this.
I see you've accepted the noscript answer, but how will you use this to fight spam? noscript will allow you to add special content for users without JS, but unless you're generating the rest of your site in JS, it will still be available to user agents without JS.
A captcha of some sort is still likely the best bet. Ultimately, you're trying to get the user agent to prove that it's being controlled by a human, so do your best to make it prove that actual fact, instead of something else. Screen readers for the visually impaired typically go without Javascript, too, and many people browsing from mobile devices have Javascript disabled to speed things up.