Website Source Code Thought
-
We're able to view any website's HTML and in (almost) all cases, the javascript code as well. Might sound a bit silly but any website out there which actually tries to protect it's code from the viewer? Javascript and probably CSS can go in protected mode by including the files in the html or aspx pages than including them in the main page itself. Can this improve a website's security by any way?
My Blog My Achievements: * Posted 25,000th message in GIT O_O * Official supporter of the "thatraja's GIT Meet Sponsor Foundation" :D What you do, when you don't know what to do is what you do when you don't want to do what you do.
-
We're able to view any website's HTML and in (almost) all cases, the javascript code as well. Might sound a bit silly but any website out there which actually tries to protect it's code from the viewer? Javascript and probably CSS can go in protected mode by including the files in the html or aspx pages than including them in the main page itself. Can this improve a website's security by any way?
My Blog My Achievements: * Posted 25,000th message in GIT O_O * Official supporter of the "thatraja's GIT Meet Sponsor Foundation" :D What you do, when you don't know what to do is what you do when you don't want to do what you do.
HTML is just markup - fancy formatting for text - so "protecting" it is like protecting the text you're displaying to the user. ie kinda pointless. CSS is just styling and layout, so the same deal. However, one minor niggle here is that maybe you have content on your site you don't want some people to see (hidden link, hidden that only spiders and bots will see). In this case the HTML and CSS could be used to hide stuff, and so obfuscating this may be useful. That is, if hiding ocntent on a webpage is useful. Javscript obfuscation is well known and falls into the same bucket as any other obfuscation such as .NET binaries.
cheers, Chris Maunder The Code Project | Co-founder Microsoft C++ MVP
-
HTML is just markup - fancy formatting for text - so "protecting" it is like protecting the text you're displaying to the user. ie kinda pointless. CSS is just styling and layout, so the same deal. However, one minor niggle here is that maybe you have content on your site you don't want some people to see (hidden link, hidden that only spiders and bots will see). In this case the HTML and CSS could be used to hide stuff, and so obfuscating this may be useful. That is, if hiding ocntent on a webpage is useful. Javscript obfuscation is well known and falls into the same bucket as any other obfuscation such as .NET binaries.
cheers, Chris Maunder The Code Project | Co-founder Microsoft C++ MVP
-
HTML is just markup - fancy formatting for text - so "protecting" it is like protecting the text you're displaying to the user. ie kinda pointless. CSS is just styling and layout, so the same deal. However, one minor niggle here is that maybe you have content on your site you don't want some people to see (hidden link, hidden that only spiders and bots will see). In this case the HTML and CSS could be used to hide stuff, and so obfuscating this may be useful. That is, if hiding ocntent on a webpage is useful. Javscript obfuscation is well known and falls into the same bucket as any other obfuscation such as .NET binaries.
cheers, Chris Maunder The Code Project | Co-founder Microsoft C++ MVP
Agreed about Layout HTML and CSS. Javascript can be hidden with a simple include of a file inside script tag right? We don't even need to go for obfuscation. Unless obfuscation means the same thing. Okay I'm a bit confused. Pardon this newb! :)
My Blog My Achievements: * Posted 25,000th message in GIT O_O * Official supporter of the "thatraja's GIT Meet Sponsor Foundation" :D What you do, when you don't know what to do is what you do when you don't want to do what you do.
-
Agreed about Layout HTML and CSS. Javascript can be hidden with a simple include of a file inside script tag right? We don't even need to go for obfuscation. Unless obfuscation means the same thing. Okay I'm a bit confused. Pardon this newb! :)
My Blog My Achievements: * Posted 25,000th message in GIT O_O * Official supporter of the "thatraja's GIT Meet Sponsor Foundation" :D What you do, when you don't know what to do is what you do when you don't want to do what you do.
Nithin Sundar wrote:
Javascript can be hidden with a simple include of a file inside script tag right?
Not quite. You can, usually, easily, figure out the path of the file: then, slap it in the web-browser address bar, and download it. However, if it's encrypted, obfuscated, etc. ? Well, I'm not sure about this, because I have looked at site's file includes maybe once or twice only, out of curiosity, but I suspect any hacker with moderate level skills could be using some kind of tools to watch everything happening "under the hood" ? Again, I have no knowledge in this area, but I bet there are some hacker tools out there specifically for tracing code executing in the browser, etc. best, Bill
“Every existing thing is born without reason, prolongs itself out of weakness, and dies by chance.” Jean-Paul Sartre, "Nausea"
-
Agreed about Layout HTML and CSS. Javascript can be hidden with a simple include of a file inside script tag right? We don't even need to go for obfuscation. Unless obfuscation means the same thing. Okay I'm a bit confused. Pardon this newb! :)
My Blog My Achievements: * Posted 25,000th message in GIT O_O * Official supporter of the "thatraja's GIT Meet Sponsor Foundation" :D What you do, when you don't know what to do is what you do when you don't want to do what you do.
-
Nithin Sundar wrote:
Javascript can be hidden with a simple include of a file inside script tag right?
Not quite. You can, usually, easily, figure out the path of the file: then, slap it in the web-browser address bar, and download it. However, if it's encrypted, obfuscated, etc. ? Well, I'm not sure about this, because I have looked at site's file includes maybe once or twice only, out of curiosity, but I suspect any hacker with moderate level skills could be using some kind of tools to watch everything happening "under the hood" ? Again, I have no knowledge in this area, but I bet there are some hacker tools out there specifically for tracing code executing in the browser, etc. best, Bill
“Every existing thing is born without reason, prolongs itself out of weakness, and dies by chance.” Jean-Paul Sartre, "Nausea"
That was a great explanation Thanks! :D But according to what you said, does that mean the person trying to download the js file can still get it even if I place it in a folder with no access to others? I have seen websites saying "You don't have permission to access "Folder"" sometimes when the website is down.
My Blog My Achievements: * Posted 25,000th message in GIT O_O * Official supporter of the "thatraja's GIT Meet Sponsor Foundation" :D What you do, when you don't know what to do is what you do when you don't want to do what you do.
-
He could an obfuscated Silverlight App ;)
Software Kinetics Wear a hard hat it's under construction
Metro RSSI thought that Silverdark was obfuscated. :-D
Panic, Chaos, Destruction. My work here is done. Drink. Get drunk. Fall over - P O'H OK, I will win to day or my name isn't Ethel Crudacre! - DD Ethel Crudacre I cannot live by bread alone. Bacon and ketchup are needed as well. - Trollslayer Have a bit more patience with newbies. Of course some of them act dumb - they're often *students*, for heaven's sake - Terry Pratchett
-
I thought that Silverdark was obfuscated. :-D
Panic, Chaos, Destruction. My work here is done. Drink. Get drunk. Fall over - P O'H OK, I will win to day or my name isn't Ethel Crudacre! - DD Ethel Crudacre I cannot live by bread alone. Bacon and ketchup are needed as well. - Trollslayer Have a bit more patience with newbies. Of course some of them act dumb - they're often *students*, for heaven's sake - Terry Pratchett
-
Agreed about Layout HTML and CSS. Javascript can be hidden with a simple include of a file inside script tag right? We don't even need to go for obfuscation. Unless obfuscation means the same thing. Okay I'm a bit confused. Pardon this newb! :)
My Blog My Achievements: * Posted 25,000th message in GIT O_O * Official supporter of the "thatraja's GIT Meet Sponsor Foundation" :D What you do, when you don't know what to do is what you do when you don't want to do what you do.
Ultimately, you can't hide the JavaScript. The browser has to be able to get to it to run it, which means that a copy has to "come to" your machine.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
My blog | My articles | MoXAML PowerToys | Mole 2010 - debugging made easier - my favourite utility
-
That was a great explanation Thanks! :D But according to what you said, does that mean the person trying to download the js file can still get it even if I place it in a folder with no access to others? I have seen websites saying "You don't have permission to access "Folder"" sometimes when the website is down.
My Blog My Achievements: * Posted 25,000th message in GIT O_O * Official supporter of the "thatraja's GIT Meet Sponsor Foundation" :D What you do, when you don't know what to do is what you do when you don't want to do what you do.
Nithin Sundar wrote:
does that mean the person trying to download the js file can still get it even if I place it in a folder with no access to others?
You website too will not be able to use that file then. You will get a 403 error for the request (just for that file) and thus your site will also break if that js file is referenced.
Nithin Sundar wrote:
I have seen websites saying "You don't have permission to access "Folder"
That's a different thing. It's called "Directory Listing" which is disabled by default or your website content will be seen by others.
..Go Green..
-
He could an obfuscated Silverlight App ;)
Software Kinetics Wear a hard hat it's under construction
Metro RSS -
You would still be able to get to the source of the script in that way if it is a link. The only way for that would be obfuscation, meaning the code get made unreadable by human.
-
Ultimately, you can't hide the JavaScript. The browser has to be able to get to it to run it, which means that a copy has to "come to" your machine.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
My blog | My articles | MoXAML PowerToys | Mole 2010 - debugging made easier - my favourite utility
-
Nithin Sundar wrote:
Javascript can be hidden with a simple include of a file inside script tag right?
Not quite. You can, usually, easily, figure out the path of the file: then, slap it in the web-browser address bar, and download it. However, if it's encrypted, obfuscated, etc. ? Well, I'm not sure about this, because I have looked at site's file includes maybe once or twice only, out of curiosity, but I suspect any hacker with moderate level skills could be using some kind of tools to watch everything happening "under the hood" ? Again, I have no knowledge in this area, but I bet there are some hacker tools out there specifically for tracing code executing in the browser, etc. best, Bill
“Every existing thing is born without reason, prolongs itself out of weakness, and dies by chance.” Jean-Paul Sartre, "Nausea"
BillWoodruff wrote:
but I bet there are some hacker tools out there specifically for tracing code executing in the browser, etc.
There are, they're called Webkit browsers... Just right click and inspect away! The best way to obfuscate JS is to get it written by a "Professional", it's guaranteed to be completely incomprehensible. ;) Server side is the way to go if you want to hide your nefarious deeds from the general public. Danny
-
We're able to view any website's HTML and in (almost) all cases, the javascript code as well. Might sound a bit silly but any website out there which actually tries to protect it's code from the viewer? Javascript and probably CSS can go in protected mode by including the files in the html or aspx pages than including them in the main page itself. Can this improve a website's security by any way?
My Blog My Achievements: * Posted 25,000th message in GIT O_O * Official supporter of the "thatraja's GIT Meet Sponsor Foundation" :D What you do, when you don't know what to do is what you do when you don't want to do what you do.
In all my years of web-surfing, I have successfully come across a single site that successfully protects its information (More than its code really) The server reads the information from a database, horrifically muddles the order of the words, splatters them in the code, then uses some rather funky CSS to make the text perfectly readable to the viewer. This makes it impossibly to simply copy-paste information from the site. I can't remember which site specifically, but it was awesome :laugh:
-= Reelix =-
-
In all my years of web-surfing, I have successfully come across a single site that successfully protects its information (More than its code really) The server reads the information from a database, horrifically muddles the order of the words, splatters them in the code, then uses some rather funky CSS to make the text perfectly readable to the viewer. This makes it impossibly to simply copy-paste information from the site. I can't remember which site specifically, but it was awesome :laugh:
-= Reelix =-
yeah, it was, i hope you remember
-
Ultimately, you can't hide the JavaScript. The browser has to be able to get to it to run it, which means that a copy has to "come to" your machine.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
My blog | My articles | MoXAML PowerToys | Mole 2010 - debugging made easier - my favourite utility
Perhaps someday we will have "compiled Javascript" where instead of the browser downloading the Javascript source, it downloads a compiled binary of the Javascript to run in some sort of VM (a la Java or .NET)... then again, that's essentially how Java applets and Silverlight work, apart from the source being Javascript! But perhaps someone has written a compiler that turns Javascript into JVM or CLR bytecode already?
-
Well you could use serverside javascript or indeed any other language for any functionality you don't want publicly visible
You can do that. Or you could use your server side language.... The problem comes in when the JS or client side code must run on the client. In those cases... it must run on the client. If the client can run it, the client can see it.
-
I thought that Silverdark was obfuscated. :-D
Panic, Chaos, Destruction. My work here is done. Drink. Get drunk. Fall over - P O'H OK, I will win to day or my name isn't Ethel Crudacre! - DD Ethel Crudacre I cannot live by bread alone. Bacon and ketchup are needed as well. - Trollslayer Have a bit more patience with newbies. Of course some of them act dumb - they're often *students*, for heaven's sake - Terry Pratchett