SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Addict
    Join Date
    Jun 2007
    Posts
    358
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    include .js file into html page differently

    hi,

    Usually when you associate a js file into a page, it will be something like the following:

    Code HTML4Strict:
    <script type="text/javascript" src="overall.js"></script>
    <script type="text/javascript" src="core.js"></script>

    For security reasons, I would like to associate my core.js without it appearing in HTML source. is it possible?

  2. #2
    SitePoint Zealot Mattinblack's Avatar
    Join Date
    May 2009
    Posts
    105
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not really. the best you can do is write a js file that itself loads the target file
    then add a few nonsence lines top and bottom like:

    Code:
    if (2>3){
    if (a>b) alert('willy wonka');
    if (c>3) alert('chocolate factory');
    document.write('<a href="http://www.webmaster-a.com">webmaster resources</a>');
    c=a+b/22.43;
    }
    document.write('<script type="text/javascript" src="core.js"></script>');
    if (14.5<12){
    if(this.info){
    			s=this.a[s];
    			$$('h3',this.r)[0].innerHTML=s.t;
    			$$('p',this.r)[0].innerHTML=s.d;
    			this.r.style.height='auto';
    			var h=parseInt(this.r.offsetHeight);
    			this.r.style.height=0;
    			TINY.height.set(this.r,h,this.infoSpeed,0)
    		}
    }
    in other words stuff that looks ok (you can copy it from an existing script) but will never execute apart from your target file load.

    Then go to javascriptobfuscator and get the code obfuscated. This will give you (for the above example:

    Code:
    var _0xdd02=["\x77\x69\x6C\x6C\x79\x20\x77\x6F\x6E\x6B\x61","\x63\x68\x6F\x63\x6F\x6C\x61\x74\x65\x20\x66\x61\x63\x74\x6F\x72\x79","\x3C\x61\x20\x68\x72\x65\x66\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x65\x62\x6D\x61\x73\x74\x65\x72\x2D\x61\x2E\x63\x6F\x6D\x22\x3E\x77\x65\x62\x6D\x61\x73\x74\x65\x72\x20\x72\x65\x73\x6F\x75\x72\x63\x65\x73\x3C\x2F\x61\x3E","\x77\x72\x69\x74\x65","\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x63\x6F\x72\x65\x2E\x6A\x73\x22\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E","\x69\x6E\x66\x6F","\x61","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x68\x33","\x72","\x74","\x70","\x64","\x68\x65\x69\x67\x68\x74","\x73\x74\x79\x6C\x65","\x61\x75\x74\x6F","\x6F\x66\x66\x73\x65\x74\x48\x65\x69\x67\x68\x74","\x69\x6E\x66\x6F\x53\x70\x65\x65\x64","\x73\x65\x74"];if(0x2>0x3){if(a>b){alert(_0xdd02[0x0]);} ;if(c>0x3){alert(_0xdd02[0x1]);} ;document[_0xdd02[0x3]](_0xdd02[0x2]);c=a+b/22.43;} ;document[_0xdd02[0x3]](_0xdd02[0x4]);if(14.5<0xc){if(this[_0xdd02[0x5]]){s=this[_0xdd02[0x6]][s];$$(_0xdd02[0x8],this[_0xdd02[0x9]])[0x0][_0xdd02[0x7]]=s[_0xdd02[0xa]];$$(_0xdd02[0xb],this[_0xdd02[0x9]])[0x0][_0xdd02[0x7]]=s[_0xdd02[0xc]];this[_0xdd02[0x9]][_0xdd02[0xe]][_0xdd02[0xd]]=_0xdd02[0xf];var h=parseInt(this[_0xdd02[0x9]][_0xdd02[0x10]]);this[_0xdd02[0x9]][_0xdd02[0xe]][_0xdd02[0xd]]=0x0;TINY[_0xdd02[0xd]][_0xdd02[0x12]](this[_0xdd02[0x9]],h,this[_0xdd02[0x11]],0x0);} ;} ;

  3. #3
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you want to hide your javascript to help prevent it from being copied by novices, then go ahead and do stuff like that.

    If you want to hide your javascript because some security aspect depends on it, stop now and rethink and redesign, because you won't be very successful.

  4. #4
    SitePoint Addict
    Join Date
    Jun 2007
    Posts
    358
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes prevent people from copying is also a part of the reason why I want this, but another is security. Some not-so-novice users may try to edit the variables/codes that are critical for for ajax execution and so on and may substitute values with the one of their liking etc. Which could seriously mess up things.

  5. #5
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Then your application design is fatally flawed from a security standpoint. You should redesign it so that it does not need to trust user supplied input.

    Anything clientside, such as javascript or html etc... is just an advisory. You use them to "advise" a user/browser how and when they should form a certain type of message to a webserver. The webserver must be able to validate incoming messages, because the client is free to send anything they want, whenever they want. This is a core concept you must live by if you want to create web applications that work in the way you intended.

  6. #6
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Security through obscurity is not security, remember that.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  7. #7
    SitePoint Zealot Mattinblack's Avatar
    Join Date
    May 2009
    Posts
    105
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Security through obscurity is not security, remember that.
    True but obfuscation will defeat 99.9% of people who try.

  8. #8
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mattinblack View Post
    True but obfuscation will defeat 99.9&#37; of people who try.
    And where pray tell did you get such a figure as that?

    It is really easy to explain. Those that are going to compromise the system is not the general public of users. So your "defeat 99.9%" statement only works if you include the general public that are not trying to compromise the system.

    Obfuscation will not stop/defeat an attacker.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  9. #9
    SitePoint Zealot Mattinblack's Avatar
    Join Date
    May 2009
    Posts
    105
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    And where pray tell did you get such a figure as that?

    It is really easy to explain. Those that are going to compromise the system is not the general public users. So your "defeat 99.9%" statement only works if you include the general public that are not trying to compromise the system.
    I got that figure from an SEO conference (SMX) in London earlier this year where the discussion was about the security of user content cloaking using jscript. You are kinda trusting about the general public. There was an experiment done with a 'honeytrap' on an adult site where the videos were loaded by javascript and rotated on a daily basis. Webstats showed around 48% of the visitors viewed the javascript file to see the filenames of the vids they had not seen and presumably cut n pasted urls straight into the browser window. The filenames were changed and the jscript obfuscated, the number of visitors that viewed vids they were not meant to went down to less than 1 in 1000.
    Interestingly it was also proved that Google can at least read URLs from js files and that obfuscation prevents this as well.

    Sure you can never make browser side scripting 100% secure but sometimes its counterproductive to make things too complex. You have to ask yourself what the data/consequences are worth to you and plan accordingly. I use a lot of jscript and ajax on some sites to take load off the server and put it on the browser - for example if I have a 2000 entry array to sort every time the page loads I will do it in jscript and either post results back to php or use it on the page. I tend to use obfuscation on three or four routines that are sensitive and it works for me.

  10. #10
    SitePoint Enthusiast LewisClarkTrail's Avatar
    Join Date
    Jun 2009
    Location
    U.S.
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Obfuscation will not stop/defeat an attacker.
    No, but it will frustrate people who are too lazy to develop their own code.

  11. #11
    SitePoint Addict
    Join Date
    Jun 2007
    Posts
    358
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    interesting discussions, btw I do has checks and verifications on server-side php page while using ajax. But it's just that I'd feel all the more happy if my JavaScript is not tampered with.

  12. #12
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    You cannot guarantee that the javascript isn't tampered with.

    Perform all of your checks on the server-side, use javascript to improve the user experience, and do not trust user submitted data.

    As long as you check all inputs, and outputs, you'll protect yourself from 99&#37; of the problems out there.

    Javascript checks must be considered as a secondary process, only to help make the user experience easier before the server performs its own checks.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  13. #13
    SitePoint Zealot Mattinblack's Avatar
    Join Date
    May 2009
    Posts
    105
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cssExp View Post
    interesting discussions, btw I do has checks and verifications on server-side php page while using ajax. But it's just that I'd feel all the more happy if my JavaScript is not tampered with.
    Thats good but you can also use ajax to provide javascript with a magic cookie that iot returns to you with its next call - just an extra security layer... but it works.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •