PHPers rejoice.. keep your JavaScript secure!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

No I haven't tried that yet but I will :)

I have also made a slight change to the my_script.php file because it I had a line of code in the wring place (doh).. so if you have time could you try to download it again and let me know what happens.

Thanks.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

I'm a bit of a js luddite so I keep my scripts firmly locked away in a metal safe so I'm not even tempted to put them on a live site - very secure.

But seriously, good to see your post: security is a very important issue and security measures don't have to be 100% effective to be useful.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Didn't work in Firebird earlier because I had cookies disabled and session-trans-id isn't enabled in your php.ini. With cookies it works.

I could download everything (including script) just as before - both in IE & Firebird.

You could also try adding a

Code: Select all

<meta http-equiv="expires" content="0">

OR

<meta http-equiv="cache-control" content="no-cache">
I doubt that would change anything though, since once the session is started, your javascript include-file is live.
Drachlen
Forum Contributor
Posts: 153
Joined: Fri Apr 25, 2003 1:16 am

Post by Drachlen »

The first time i clicked the link, it loaded it with the text saying i couldnt view it, then i pushed back and clicked it again, and it asked to download it... this is what it contained:

Code: Select all

alert("This alert comes to you from the secured JavaScript file.");
Windows 98 running Internet Explorer Version: 6.0
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Sod it. Oh well at least it sort of works, and it's a start in the right direction I guess.

Right, back to the drawing board :)


PS. On a similar note securing a javascript file IS 100% possible using Flash and document.createElement() but this only works on browsers which support document.createElement()... which is just IE5+ I think.

If anyone does find a PHP way of doing this drop me a note or email.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

In Moz Firebird I got shown this:

Code: Select all

alert("This alert comes to you from the secured JavaScript file.");
every other time I clicked on the link.

Mac
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Did you make sure you have cookies enabled, Mac? I've done the same with Firebird 0.6 and I downloaded the .js-file sans problem.
qartis
Forum Contributor
Posts: 271
Joined: Sat Dec 14, 2002 4:43 pm
Location: BC, Canada
Contact:

Post by qartis »

PS. On a similar note securing a javascript file IS 100% possible using Flash and document.createElement() but this only works on browsers which support document.createElement()... which is just IE5+ I think.
Depends on your definition of 'safe'. Anyone who has done network security will tell you, data transmitted over a wire will never be secure. You're sending the browser some javascript, whether encoded, encrypted or otherwise, so anyone with a packet sniffer on the same network theoretically can retreive the javascript in question. You may want to have a look at javascript.encode--client side encoded javascript, quite difficult to decrypt without the proper algorithms (though they are available).
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

quartis: that is exactly why i was trying to figure out how to encode things so it'd be sent in gibberish.

i've done network work before.

was also my first thought here. you can even use the sniffer to capture what's coming TO you if you're not on the network but can get a connection...(as i mentioned earlier)
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

qartis wrote: Depends on your definition of 'safe'. Anyone who has done network security will tell you, data transmitted over a wire will never be secure. You're sending the browser some javascript, whether encoded, encrypted or otherwise, so anyone with a packet sniffer on the same network theoretically can retreive the javascript in question. You may want to have a look at javascript.encode--client side encoded javascript, quite difficult to decrypt without the proper algorithms (though they are available).

This is a good point, but my thought on this is simply if someone wants to go to that much trouble to access a javascript file (using a packet-sniffer) then they should be ashamed of themself and also should be taken to court. People secure stuff for a reason.

Personally if I found someone ripping off code that I had a: copyrighted and b: attemped to make secure then I wouldn't think twice about ripping off their thumbs.
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

actually... when i worked in net ops i found out that there's a quirk with sniffers... technically they are illegal to use unless you're part of net ops for the place you're sniffing on, and even then only when it's for security purposes.

without that it technically falls under invasion of privacy, so you have to be able to prove you're doing it for the sole purpose of security not to have that issue, so not only could you bring them to civil court and problaby win the case, you can actually press legal charges

*evil grin*
(just something i thought you might like to hear)
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Right then ladies and gents I have made a slight change to the initial code I posted (the first entry in this topic).

I have now made the javascript file double-layered.. which means the first javascript file which gets included doesn't contain the code I'm trying to secure, what it does is include the javascript code into itself.

The same method is used (session var) but this might do the trick.


If you get time could you pop along to http://www.urbanchaos.net/Lockdown/ and see what happens when you try and save the entire page, or access the 'hopefully semi-secure' javascript file.


You help on this is apreciated :)
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Nice idea (yet again :p), but I am sorry the test-baloon goes boom. I got both files with Firebird 0.6.

Code: Select all

function test()
&#123;
	document.write('This text has been written by javascript found in the my_script.php file.');
&#125;
and

Code: Select all

document.write('<script language="JavaScript" src="my_script.php"></script>');
;)
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

Ahh.. that Firebird needs to be shot :)


Ok, what about this. I emailed my server provider asking them if it was possible to CHMOD either the folder and/or files I'm trying to secure. This is the reply I got..
It is not possible using unix chmod. All data served by a webserver is public.

solution:
link to script.php instead of script.js -
in script.php check the HTTP_REFERRER or HTTP_HOST variable (see php.net for more) verify that it is called from the
right page or domain name (urbanchaos.net) then do an "include ./script-js-original.inc"
if everything is ok.
..

<?
$refer=$HTTP_HOST;
if ($refer=="www.urbanchaos.net") {
include ("./script-js-original.inc");
}
else
{
echo "DENIED!";
}

?>


if the visitors try to launch script.php outside your html pages it
will not work.

Has anyone tried something like this before and do you think it's a sound idea. I'm going to try and get it working and on-line in the next hour or so.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

But the problem is not me accessing the .js-file in particular, rather ripping the entire website.

How is a webserver supposed to differentiate between a "normal" HTTP-request to dish out the data and a "rip"-request?

The solution your provider suggests doesn't help you there either. It simply prevents "direct" access to the file.
Post Reply