Scramble page source - how?

Discussion in 'ASP General' started by Klaus Ambrass, Oct 3, 2003.

  1. Hi all,

    I write applications for my company's intraweb, and recently we've had some
    eager users trying to get at some data they shouldn't. The way they did it
    was to look at the pages input tags and hidden fields to construct their
    own URLs.

    Aside from poor design (which is being changed) - how can I scramble the
    page, so as the users can't simply use "View Source" from the menu? Is
    there a switch or component I can activate/install i ASP, can I change the
    ContentType or something else?

    It need to not be totally secure, just enough to fend off the nosiest of my
    user herd.

    --
    Klaus Ambrass

    IT - Storstrøms Amt
     
    Klaus Ambrass, Oct 3, 2003
    #1
    1. Advertising

  2. Klaus Ambrass

    Chopper Guest

    "Klaus Ambrass" <> wrote in message
    news:Xns940987CE3BC2Fambrass@212.88.64.226...
    > Hi all,
    >
    > I write applications for my company's intraweb, and recently we've had

    some
    > eager users trying to get at some data they shouldn't. The way they did it
    > was to look at the pages input tags and hidden fields to construct their
    > own URLs.
    >
    > Aside from poor design (which is being changed) - how can I scramble the
    > page, so as the users can't simply use "View Source" from the menu? Is
    > there a switch or component I can activate/install i ASP, can I change the
    > ContentType or something else?
    >
    > It need to not be totally secure, just enough to fend off the nosiest of

    my
    > user herd.
    >
    > --
    > Klaus Ambrass
    >
    > IT - Storstrøms Amt
    >


    It's not possible to scramble the HTML as the browser needs it in it's
    original state in order to render the page.
    You can make it more difficult for the user to view the source by
    intercepting right-clicks in the page using JavaScript but AFAIK you cannot
    disable the 'Source' option in the 'View' menu (in IE at least).
    As it's on an intranet you could possibly make changes to each users machine
    such as removing notepad? Further still, you might find there's something
    you can do in policy editor or even IEAK?
    I think the best solution is to make your code more secure, i.e.. limit max
    characters on input fields, when posting form data use Request.Form("") and
    not simply Request(""), be very careful if using dynamic SQL to prevent SQL
    injection.
    Also do some simple auditing such as storing the time,IPs,hostnames with
    querystrings etc. so that you can work out who is doing what. You'll also be
    able to get a lot of information from your web logs.
    Just a thought, but I believe you can encrypt clientside VBScript. In which
    case (providing all your users used IE) you could get your browser to
    decrypt and output the HTML directly and therefore any source would simply
    show gibberish to the user. If this is possible then a simple search on
    google will give them the tools to decrypt the VBScript.

    Anyways, a few possibilities/wild stabs in the dark.
    Please let me know what you end up doing.

    chopper
     
    Chopper, Oct 3, 2003
    #2
    1. Advertising

  3. Klaus Ambrass

    Phill. W Guest

    Klaus,

    Presumably your company has some sort of "Code of Conduct" that
    imposes restrictions and responsibilties on users of your computing
    resources? I would strongly suspect that the actions of these "eager
    users" of yours put them in breach of it. Such breaches, presumably,
    also have penalties associated with them.

    Find a copy of said C-of-C, and pass it across the desk of the
    miscreant's *Manager*. If nothing else, they should wind up with
    a lot more work to, so they won't have the /time/ to go "hacking"
    your applications. ;-)

    Regards,
    Phill W.


    "Klaus Ambrass" <> wrote in message
    news:Xns940987CE3BC2Fambrass@212.88.64.226...
    .. . .
    > I write applications for my company's intraweb, and recently we've had
    > some eager users trying to get at some data they shouldn't.

    .. . .
    > --
    > Klaus Ambrass
    >
    > IT - Storstrøms Amt
    >
     
    Phill. W, Oct 3, 2003
    #3
  4. No you can't. But it isn't the ASP that you have to worry
    about,...they never see the ASP since it is all "server-side". The
    only thing that loads into the browser is "client-side" script and the
    HTML. Your Form and the Hidden Fields are ultimately just HTML (not
    ASP).

    The form fields that are not "hidden" aren't any big deal since it is
    no secret what those are anyway, but the hidden fields can be replaced
    with Session Variables which they cannot see. This still doesn't
    prevent them from recreating their own form and submitting it, but it
    will limit them to only being able to use the normal visible fields
    when they do it.

    As long as you use content/error checking on the submited data using
    server-side code to prevent erroneous data, they aren't going to be
    able to do anything with their "custom" form that they wouln't have
    done with your original form anyway, so their little deed doesn't hurt
    anything.

    I've had to do the same as they for legitimate reasons before. I had
    to download a patch from a Vendor that used a Form and a ton of
    "client-side" javascript that was so full or crap and screwed up that
    the page wouln't run right and the Form wouldn't submit properly. The
    only way to get my download was to gater the Form's Name, Method, and
    Action and find all the Fields, then build my own extremely simple
    HTML version of the Form and submit it to get my download. So nothing
    was harmed and it was the only way around the worthless pile of crap
    code that they had built the page with.

    --

    Phillip Windell [CCNA, MVP, MCP]

    WAND-TV (ABC Affiliate)
    www.wandtv.com

    "Klaus Ambrass" <> wrote in message
    news:Xns940987CE3BC2Fambrass@212.88.64.226...
    > Hi all,
    >
    > I write applications for my company's intraweb, and recently we've

    had some
    > eager users trying to get at some data they shouldn't. The way they

    did it
    > was to look at the pages input tags and hidden fields to construct

    their
    > own URLs.
    >
    > Aside from poor design (which is being changed) - how can I scramble

    the
    > page, so as the users can't simply use "View Source" from the menu?

    Is
    > there a switch or component I can activate/install i ASP, can I

    change the
    > ContentType or something else?
    >
    > It need to not be totally secure, just enough to fend off the

    nosiest of my
    > user herd.
    >
    > --
    > Klaus Ambrass
    >
    > IT - Storstrøms Amt
    >
     
    Phillip Windell, Oct 3, 2003
    #4
  5. "Klaus Ambrass" <> wrote in message
    news:Xns940987CE3BC2Fambrass@212.88.64.226...
    > Hi all,
    >
    > I write applications for my company's intraweb, and recently we've had

    some
    > eager users trying to get at some data they shouldn't. The way they did it
    > was to look at the pages input tags and hidden fields to construct their
    > own URLs.
    >
    > Aside from poor design (which is being changed) - how can I scramble the
    > page, so as the users can't simply use "View Source" from the menu? Is
    > there a switch or component I can activate/install i ASP, can I change the
    > ContentType or something else?


    This is where the move to asp.NET comes in really handy. By storing things
    in the ViewState that used to be in hidden inputs, and by relying on the
    PostBack event to do the form submission, it is a lot harder to fake out an
    asp.NET application with a GET string in the URL.

    R.
     
    Richard K Bethell, Oct 3, 2003
    #5
  6. Klaus Ambrass

    Tim Guest

    do what the spammers do - put loads of html comment in the code
    eg

    1<!--OADASDHKJOASJDH-->2<!--123kljlASDUIOADA-->3

    will just print 123




    "Klaus Ambrass" <> wrote in message
    news:Xns940987CE3BC2Fambrass@212.88.64.226...
    > Hi all,
    >
    > I write applications for my company's intraweb, and recently we've had

    some
    > eager users trying to get at some data they shouldn't. The way they did it
    > was to look at the pages input tags and hidden fields to construct their
    > own URLs.
    >
    > Aside from poor design (which is being changed) - how can I scramble the
    > page, so as the users can't simply use "View Source" from the menu? Is
    > there a switch or component I can activate/install i ASP, can I change the
    > ContentType or something else?
    >
    > It need to not be totally secure, just enough to fend off the nosiest of

    my
    > user herd.
    >
    > --
    > Klaus Ambrass
    >
    > IT - Storstrøms Amt
    >
     
    Tim, Oct 3, 2003
    #6
  7. Klaus Ambrass <> wrote in
    news:Xns940987CE3BC2Fambrass@212.88.64.226:

    Hi guys,

    thanks for your input which was surprisingly diverse.
    I will re-think my design and put the hidden fields in session-variables.
    And the people who are too eager will have a talk with their manager(s).

    Thanks for all your input.

    --
    Klaus Ambrass

    IT - Storstrøms Amt
     
    Klaus Ambrass, Oct 6, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeremy S
    Replies:
    3
    Views:
    1,524
    bradley
    Jun 20, 2005
  2. Tom Anderson

    Virtual machine scramble time

    Tom Anderson, Jul 10, 2009, in forum: Java
    Replies:
    4
    Views:
    463
    Mike Schilling
    Jul 12, 2009
  3. Allan Ebdrup
    Replies:
    2
    Views:
    514
    Allan Ebdrup
    Oct 6, 2006
  4. globalrev
    Replies:
    5
    Views:
    218
    Rob Biedenharn
    May 8, 2008
  5. Steve

    'scramble' string

    Steve, May 11, 2004, in forum: Javascript
    Replies:
    4
    Views:
    224
    Shawn Milo
    May 13, 2004
Loading...

Share This Page