Scramble page source - how?

K

Klaus Ambrass

Hi all,

I write applications for my company's intraweb, and recently we've had some
eager users trying to get at some data they shouldn't. The way they did it
was to look at the pages input tags and hidden fields to construct their
own URLs.

Aside from poor design (which is being changed) - how can I scramble the
page, so as the users can't simply use "View Source" from the menu? Is
there a switch or component I can activate/install i ASP, can I change the
ContentType or something else?

It need to not be totally secure, just enough to fend off the nosiest of my
user herd.
 
C

Chopper

Klaus Ambrass said:
Hi all,

I write applications for my company's intraweb, and recently we've had some
eager users trying to get at some data they shouldn't. The way they did it
was to look at the pages input tags and hidden fields to construct their
own URLs.

Aside from poor design (which is being changed) - how can I scramble the
page, so as the users can't simply use "View Source" from the menu? Is
there a switch or component I can activate/install i ASP, can I change the
ContentType or something else?

It need to not be totally secure, just enough to fend off the nosiest of my
user herd.

--
Klaus Ambrass

IT - Storstrøms Amt
(e-mail address removed)

It's not possible to scramble the HTML as the browser needs it in it's
original state in order to render the page.
You can make it more difficult for the user to view the source by
intercepting right-clicks in the page using JavaScript but AFAIK you cannot
disable the 'Source' option in the 'View' menu (in IE at least).
As it's on an intranet you could possibly make changes to each users machine
such as removing notepad? Further still, you might find there's something
you can do in policy editor or even IEAK?
I think the best solution is to make your code more secure, i.e.. limit max
characters on input fields, when posting form data use Request.Form("") and
not simply Request(""), be very careful if using dynamic SQL to prevent SQL
injection.
Also do some simple auditing such as storing the time,IPs,hostnames with
querystrings etc. so that you can work out who is doing what. You'll also be
able to get a lot of information from your web logs.
Just a thought, but I believe you can encrypt clientside VBScript. In which
case (providing all your users used IE) you could get your browser to
decrypt and output the HTML directly and therefore any source would simply
show gibberish to the user. If this is possible then a simple search on
google will give them the tools to decrypt the VBScript.

Anyways, a few possibilities/wild stabs in the dark.
Please let me know what you end up doing.

chopper
 
P

Phill. W

Klaus,

Presumably your company has some sort of "Code of Conduct" that
imposes restrictions and responsibilties on users of your computing
resources? I would strongly suspect that the actions of these "eager
users" of yours put them in breach of it. Such breaches, presumably,
also have penalties associated with them.

Find a copy of said C-of-C, and pass it across the desk of the
miscreant's *Manager*. If nothing else, they should wind up with
a lot more work to, so they won't have the /time/ to go "hacking"
your applications. ;-)

Regards,
Phill W.


.. . .
 
P

Phillip Windell

No you can't. But it isn't the ASP that you have to worry
about,...they never see the ASP since it is all "server-side". The
only thing that loads into the browser is "client-side" script and the
HTML. Your Form and the Hidden Fields are ultimately just HTML (not
ASP).

The form fields that are not "hidden" aren't any big deal since it is
no secret what those are anyway, but the hidden fields can be replaced
with Session Variables which they cannot see. This still doesn't
prevent them from recreating their own form and submitting it, but it
will limit them to only being able to use the normal visible fields
when they do it.

As long as you use content/error checking on the submited data using
server-side code to prevent erroneous data, they aren't going to be
able to do anything with their "custom" form that they wouln't have
done with your original form anyway, so their little deed doesn't hurt
anything.

I've had to do the same as they for legitimate reasons before. I had
to download a patch from a Vendor that used a Form and a ton of
"client-side" javascript that was so full or crap and screwed up that
the page wouln't run right and the Form wouldn't submit properly. The
only way to get my download was to gater the Form's Name, Method, and
Action and find all the Fields, then build my own extremely simple
HTML version of the Form and submit it to get my download. So nothing
was harmed and it was the only way around the worthless pile of crap
code that they had built the page with.

--

Phillip Windell [CCNA, MVP, MCP]
(e-mail address removed)
WAND-TV (ABC Affiliate)
www.wandtv.com
 
R

Richard K Bethell

Klaus Ambrass said:
Hi all,

I write applications for my company's intraweb, and recently we've had some
eager users trying to get at some data they shouldn't. The way they did it
was to look at the pages input tags and hidden fields to construct their
own URLs.

Aside from poor design (which is being changed) - how can I scramble the
page, so as the users can't simply use "View Source" from the menu? Is
there a switch or component I can activate/install i ASP, can I change the
ContentType or something else?

This is where the move to asp.NET comes in really handy. By storing things
in the ViewState that used to be in hidden inputs, and by relying on the
PostBack event to do the form submission, it is a lot harder to fake out an
asp.NET application with a GET string in the URL.

R.
 
T

Tim

do what the spammers do - put loads of html comment in the code
eg

1<!--OADASDHKJOASJDH-->2<!--123kljlASDUIOADA-->3

will just print 123
 
K

Klaus Ambrass

Hi guys,

thanks for your input which was surprisingly diverse.
I will re-think my design and put the hidden fields in session-variables.
And the people who are too eager will have a talk with their manager(s).

Thanks for all your input.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top