Page 2 of 5
Posted: Sat Aug 02, 2003 8:01 pm
by Gen-ik
No I haven't tried that yet but I will
I have also made a slight change to the my_script.php file because it I had a line of code in the wring place (doh).. so if you have time could you try to download it again and let me know what happens.
Thanks.
Posted: Sat Aug 02, 2003 8:14 pm
by McGruff
I'm a bit of a js luddite so I keep my scripts firmly locked away in a metal safe so I'm not even tempted to put them on a live site - very secure.
But seriously, good to see your post: security is a very important issue and security measures don't have to be 100% effective to be useful.
Posted: Sat Aug 02, 2003 8:15 pm
by patrikG
Didn't work in Firebird earlier because I had cookies disabled and session-trans-id isn't enabled in your php.ini. With cookies it works.
I could download everything (including script) just as before - both in IE & Firebird.
You could also try adding a
Code: Select all
<meta http-equiv="expires" content="0">
OR
<meta http-equiv="cache-control" content="no-cache">
I doubt that would change anything though, since once the session is started, your javascript include-file is live.
Posted: Sat Aug 02, 2003 8:36 pm
by Drachlen
The first time i clicked the link, it loaded it with the text saying i couldnt view it, then i pushed back and clicked it again, and it asked to download it... this is what it contained:
Code: Select all
alert("This alert comes to you from the secured JavaScript file.");
Windows 98 running Internet Explorer Version: 6.0
Posted: Sat Aug 02, 2003 8:37 pm
by Gen-ik
Sod it. Oh well at least it sort of works, and it's a start in the right direction I guess.
Right, back to the drawing board
PS. On a similar note securing a javascript file IS 100% possible using Flash and document.createElement() but this only works on browsers which support document.createElement()... which is just IE5+ I think.
If anyone does find a PHP way of doing this drop me a note or email.
Posted: Sun Aug 03, 2003 7:41 am
by twigletmac
In Moz Firebird I got shown this:
Code: Select all
alert("This alert comes to you from the secured JavaScript file.");
every other time I clicked on the link.
Mac
Posted: Sun Aug 03, 2003 7:49 am
by patrikG
Did you make sure you have cookies enabled, Mac? I've done the same with Firebird 0.6 and I downloaded the .js-file sans problem.
Posted: Sun Aug 03, 2003 11:45 am
by qartis
PS. On a similar note securing a javascript file IS 100% possible using Flash and document.createElement() but this only works on browsers which support document.createElement()... which is just IE5+ I think.
Depends on your definition of 'safe'. Anyone who has done network security will tell you, data transmitted over a wire will never be secure. You're sending the browser some javascript, whether encoded, encrypted or otherwise, so anyone with a packet sniffer on the same network theoretically can retreive the javascript in question. You may want to have a look at javascript.encode--client side encoded javascript, quite difficult to decrypt without the proper algorithms (though they are available).
Posted: Sun Aug 03, 2003 12:30 pm
by m3rajk
quartis: that is exactly why i was trying to figure out how to encode things so it'd be sent in gibberish.
i've done network work before.
was also my first thought here. you can even use the sniffer to capture what's coming TO you if you're not on the network but can get a connection...(as i mentioned earlier)
Posted: Sun Aug 03, 2003 12:40 pm
by Gen-ik
qartis wrote:
Depends on your definition of 'safe'. Anyone who has done network security will tell you, data transmitted over a wire will never be secure. You're sending the browser some javascript, whether encoded, encrypted or otherwise, so anyone with a packet sniffer on the same network theoretically can retreive the javascript in question. You may want to have a look at javascript.encode--client side encoded javascript, quite difficult to decrypt without the proper algorithms (though they are available).
This is a good point, but my thought on this is simply if someone wants to go to that much trouble to access a javascript file (using a packet-sniffer) then they should be ashamed of themself and also should be taken to court. People secure stuff for a reason.
Personally if I found someone ripping off code that I had a: copyrighted and b: attemped to make secure then I wouldn't think twice about ripping off their thumbs.
Posted: Sun Aug 03, 2003 12:45 pm
by m3rajk
actually... when i worked in net ops i found out that there's a quirk with sniffers... technically they are illegal to use unless you're part of net ops for the place you're sniffing on, and even then only when it's for security purposes.
without that it technically falls under invasion of privacy, so you have to be able to prove you're doing it for the sole purpose of security not to have that issue, so not only could you bring them to civil court and problaby win the case, you can actually press legal charges
*evil grin*
(just something i thought you might like to hear)
Posted: Sun Aug 03, 2003 1:11 pm
by Gen-ik
Right then ladies and gents I have made a slight change to the initial code I posted (the first entry in this topic).
I have now made the javascript file double-layered.. which means the first javascript file which gets included doesn't contain the code I'm trying to secure, what it does is include the javascript code into itself.
The same method is used (session var) but this might do the trick.
If you get time could you pop along to
http://www.urbanchaos.net/Lockdown/ and see what happens when you try and save the entire page, or access the 'hopefully semi-secure' javascript file.
You help on this is apreciated

Posted: Sun Aug 03, 2003 1:19 pm
by patrikG
Nice idea (yet again :p), but I am sorry the test-baloon goes boom. I got both files with Firebird 0.6.
Code: Select all
function test()
{
document.write('This text has been written by javascript found in the my_script.php file.');
}
and
Code: Select all
document.write('<script language="JavaScript" src="my_script.php"></script>');

Posted: Sun Aug 03, 2003 1:52 pm
by Gen-ik
Ahh.. that Firebird needs to be shot
Ok, what about this. I emailed my server provider asking them if it was possible to CHMOD either the folder and/or files I'm trying to secure. This is the reply I got..
It is not possible using unix chmod. All data served by a webserver is public.
solution:
link to script.php instead of script.js -
in script.php check the HTTP_REFERRER or HTTP_HOST variable (see php.net for more) verify that it is called from the
right page or domain name (urbanchaos.net) then do an "include ./script-js-original.inc"
if everything is ok.
..
<?
$refer=$HTTP_HOST;
if ($refer=="
www.urbanchaos.net") {
include ("./script-js-original.inc");
}
else
{
echo "DENIED!";
}
?>
if the visitors try to launch script.php outside your html pages it
will not work.
Has anyone tried something like this before and do you think it's a sound idea. I'm going to try and get it working and on-line in the next hour or so.
Posted: Sun Aug 03, 2003 2:12 pm
by patrikG
But the problem is not me accessing the .js-file in particular, rather ripping the entire website.
How is a webserver supposed to differentiate between a "normal" HTTP-request to dish out the data and a "rip"-request?
The solution your provider suggests doesn't help you there either. It simply prevents "direct" access to the file.