|
|
I have been in an argument at work involving this and I just want other people to hopefully back me up, but if I am wrong PLEASE let me know.
The current belief is that if you check for enabled scripting and deny anyone without that turned on as well as to disable the "Mouse Right Click" and "CTRL-N" that you can prevent users from seeing the source of the page. This would matter because like I asked before, information would be stored in hidden variables due to not using session variables. I am pushing for this change but for the time being that is what the mindset is. What I am asking is will this work, will it not work, and if not what can I tell these guys to convince them that they are wrong?
Thanks!
Cleako
|
|
|
|
|
That is so wrong it is not even funny. If I ever saw a security module like that actually being implemented I would recommend the developer by downgraded to chasis shiner. There is a rule to web development, If you trust your client your software will not be secure.
Sorry but anything on the client side will NEVER be secure.
Brad
Australian
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
i am agree with Brad.
You cant secure ur data by using javascript...
for example...
open any of ur page which is having hidden fields ooand text fields
and then copy this code and paste it on to address and press enter.
javascript:var x=document.getElementsByTagName("input");alert(x.length); for(var i=0;i<x.length;i++){alert(x[i].type);if(x[i].type=="text"){alert(x[i].value)}}
what have="" u="" seen...
this="" is="" very="" simple="" you="" can="" do="" much="" more="" then="" this...
bu="" now="" thing="" i="" will="" like="" to="" mention..="" am="" also="" using="" js="" in="" my="" current="" project="" and="" used="" heavily...="" but="" who="" gona="" crack="" it..="" knows="" the="" architecture="" of="" project..="" from="" where="" data="" comming..="" more...
who="" that="" when="" element="" being="" created="" it="" destroyed...
and="" tell="" what="" no="" body="" read="" or="" scan="" ur="" code...="" becuse="" time="" design="" twice..
so="" r="" not="" wrong="" want="" difficult...="" either="" this="" any="" other="" mean...
and="" end="" customer="" see="" which="" technology="" used...="" he="" look="" on="" time..
hope="" understand="" whats="" say...
=""
<div="" class="ForumSig">Ravi Kant Srivastava
(System Analyst)
HandsOn Technology & Engineering
Gurgaon
(India)
e-mail:ravikant@hte.co.in
|
|
|
|
|
I agree with the ability to use Java Script but to simply check for client scripting enabled, disabling the right mouse button click, and disabling the CTRL-N for new page which would contain the address bar seems like a bad way to control if someone can see, say, the SSN that someone might store as a hidden variable.
Even if you implement this, if someone can use some cross-site scripting somehow, couldnt they get all of those values or some reference to them and then exploit that?
Cleako
|
|
|
|
|
ANYTHING client-side can be seen and tempered with, end of story (this includes javascript, hidden form fields, cookies, session IDs, HTTP headers etc.). Javascript is not secure and in terms of security/validation should only be used to enhance the user experience by not requiring a server trip, server-side validation should still be implemented.
Besides, what if a perfectly authentic user comes along with no javascript? They won't be able to use the application!
|
|
|
|
|
JavaScript can extend and enrich the user experience. There should be a resilent serverside component to check the integretity of data against any tampering as well as hijacking.
|
|
|
|
|
That is why I try to tell these folks but there is a developer that has been here for a while whose every word is trusted. I have had argument after argument about doing things like straight SQL in the site code, Java Script to control every action, using Java Script as the only means of validation but requiring that client scripting be enabled, etc etc etc...
Cleako
|
|
|
|
|
Here are the arguments you need.
1. You can see the source of any web page, no matter what you do on the browser. If you managed to lock down the browser, the data can still be seen using a packet sniffer like Wireshark.
2. Since the browser and the transmission media cannot be trusted, the incoming data has to checked at the first point where you can check it and be sure that no one can modify it further. That point is your web server. So, you have to make sure that all data conforms to expected ranges and that no *bad* characters make it through in the parameters that will be used in generating SQL statements.
3. If the incoming data is not sanitized, hackers can send in SQL fragments in such a manner that they can compromise your SQL server. This mechanism is called SQL injection.
So, if you really care about security, please use TLS/SSL to encrypt the channel (only needed if sensitive data is involved), validate user input at the server, and use javascript to enhance user experience.
Thomas
modified 29-Aug-18 21:01pm.
|
|
|
|
|
That sounds great, now the question is will they believe me the guy that has worked there for 9 years that believes and has convinced others that JavaScript is a good model for security.
Cleako
|
|
|
|
|
cleako wrote: The current belief is that if you check for enabled scripting and deny anyone without that turned on as well as to disable the "Mouse Right Click" and "CTRL-N" that you can prevent users from seeing the source of the page.
That's ridiculous.
Any check for having Javascript enabled has to be done using Javascript, and the only way that the server will know the result is from what the browser sends in the next request, so the server can easily be fooled that the client has Javascript enabled.
Also, here are just some of the ways that you can get around the checks:
:: Select the "View Source" option in the menu.
:: Press Ctrl+U to view source (in Firefox).
:: Enable Javascript but disable replacing of the context menu.
:: Open the file in the browser cache.
:: View the form data in Page info (in Firefox).
:: Use a DOM inspector plugin to view the code.
:: Use a program other than a browser to request the page.
:: Intercept the network traffic to get the source before the browser does.
---
single minded; short sighted; long gone;
|
|
|
|
|
Hi,
I'm having this error,
'Bsc_Test1.src.controls.cont' does not contain a definition for 'ChartTitle'
'Bsc_Test1.src.controls.cont' does not contain a definition for 'gcolors'
'Bsc_Test1.src.controls.cont' does not contain a definition for 'XAxisTitle'
'Bsc_Test1.src.controls.cont' does not contain a definition for 'YAxisItems'
'Bsc_Test1.src.controls.cont' does not contain a definition for 'YAxisValues'
There definition is not writen in the back end code but it's in HTML of cont and cont is in folder src/controls. Please help me solve this.
Thanks.
|
|
|
|
|
first of all tell me what is this...
describe ur problem to get right answers, and quick help...
Ravi Kant Srivastava
(System Analyst)
HandsOn Technology & Engineering
Gurgaon
(India)
e-mail:ravikant@hte.co.in
|
|
|
|
|
Please tell first What are you doing ? are you using User control in web application ?
|
|
|
|
|
The Problem is that there is a Graph that has a definition That is in a folder 'src' the folder has a subfolder controls in control is an ascx file where a graph is difined using the html. Now the project has an aspx file 'NewGraph' where the ascx file is supposed to be excecuted. the code goes like
public src.controls.cont dngchart;
On Page_Load()
// Set our axis values
dngchart.YAxisValues = iValue;
// Set our axis strings
dngchart.YAxisItems = sItems;
// the colors
dngchart.gcolors=mags;
// Provide a title
dngchart.ChartTitle = "Inventory Breakdown:";
// Provide a title for the X-Axis
dngchart.XAxisTitle = "(units display actual numbers)";
When I try to Copile I get this error:
'Bsc_Test1.src.controls.cont' does not contain a definition for 'ChartTitle'
'Bsc_Test1.src.controls.cont' does not contain a definition for 'gcolors'
'Bsc_Test1.src.controls.cont' does not contain a definition for 'XAxisTitle'
'Bsc_Test1.src.controls.cont' does not contain a definition for 'YAxisItems'
'Bsc_Test1.src.controls.cont' does not contain a definition for 'YAxisValues'.
What could it be?
|
|
|
|
|
If user control has no problem then check that you have register the user control properly and the Id of the usercontrol should be same as in aspx and aspx.cs ........
are you using VS2005/C# 2.0 ? Check it
|
|
|
|
|
What is Bsc_Test1.src.controls.cont?
What do you mean by its in the HTML? Is it in a server script block or is it the ID of an HTML element (or an ASP.NET control)?
|
|
|
|
|
How can integrate one text box and its result of a live website , multiple times in another webpage ?
I needed to c all the results of differnt queries in same webpage. Is there any websites supporting this ?
Please revert back?
Jaison
Jaison Peter
|
|
|
|
|
I'm not sure what you mean ? You want to take a value from a textbox in a different site ?
Christian Graus - Microsoft MVP - C++
Metal Musings - Rex and my new metal blog
|
|
|
|
|
I would assume he wanted to copy values between windows...
Brad
Australian
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
no
Suppose a webpage has a textbox and button and an area which shows results after calculating the value that we entered in the textbox after clicking the button.
This same thing.... i need multiple times ....in another webpage.
so that i can c the results of different queries in one single page... right ..
hope u understood .. if no revert back for clarifcation
|
|
|
|
|
Can you use a drawing to illustrate what you are trying to do?
Brad
Australian
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
OK
One webpage which shows results according to the data put inside the textbox.
There is nothing apart from that inside that website.
I want another website which shows same textbox and corresponding result (same thing multiple times)
So that i can able to get the result of different values inside the different textboxes by a single refresh of webpage
Now revert if diagrams needed !!
|
|
|
|
|
Please draw an image.
Brad
Australian
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
If i am not wrong, you are looking for following solution.
1- Create a page and use Webclient DownloadData method to extract the html from the required page.
2- Create a page with multiple frames or iframes and set the url of previously created page.
Regards
Prakash
|
|
|
|