Hi all,
I write applications for my company's intraweb, and recently we've had some
eager users trying to get at some data they shouldn't. The way they did it
was to look at the pages input tags and hidden fields to construct their
own URLs.
Aside from poor design (which is being changed) - how can I scramble the
page, so as the users can't simply use "View Source" from the menu? Is
there a switch or component I can activate/install i ASP, can I change the
ContentType or something else?
It need to not be totally secure, just enough to fend off the nosiest of my
user herd.
--
Klaus Ambrass
IT - Storstrøms Amt ka*@it.stam.dk 7  4082 
"Klaus Ambrass" <ka*@it.stam.dk > wrote in message
news:Xn******** *************@2 12.88.64.226... Hi all,
I write applications for my company's intraweb, and recently we've had
some eager users trying to get at some data they shouldn't. The way they did it
was to look at the pages input tags and hidden fields to construct their
own URLs.
Aside from poor design (which is being changed) - how can I scramble the
page, so as the users can't simply use "View Source" from the menu? Is
there a switch or component I can activate/install i ASP, can I change the
ContentType or something else?
It need to not be totally secure, just enough to fend off the nosiest of
my user herd.
--
Klaus Ambrass
IT - Storstrøms Amt
ka*@it.stam.dk
It's not possible to scramble the HTML as the browser needs it in it's
original state in order to render the page.
You can make it more difficult for the user to view the source by
intercepting right-clicks in the page using JavaScript but AFAIK you cannot
disable the 'Source' option in the 'View' menu (in IE at least).
As it's on an intranet you could possibly make changes to each users machine
such as removing notepad? Further still, you might find there's something
you can do in policy editor or even IEAK?
I think the best solution is to make your code more secure, i.e.. limit max
characters on input fields, when posting form data use Request.Form("" ) and
not simply Request(""), be very careful if using dynamic SQL to prevent SQL
injection.
Also do some simple auditing such as storing the time,IPs,hostna mes with
querystrings etc. so that you can work out who is doing what. You'll also be
able to get a lot of information from your web logs.
Just a thought, but I believe you can encrypt clientside VBScript. In which
case (providing all your users used IE) you could get your browser to
decrypt and output the HTML directly and therefore any source would simply
show gibberish to the user. If this is possible then a simple search on
google will give them the tools to decrypt the VBScript.
Anyways, a few possibilities/wild stabs in the dark.
Please let me know what you end up doing.
chopper
Klaus Ambrass wrote: Aside from poor design (which is being changed) - how can I scramble
the page, so as the users can't simply use "View Source" from the
menu?
you can't
It need to not be totally secure, just enough to fend off the nosiest
of my user herd.
javascript - disable right click, but it won't take them long to work it
out.
--
William Tasso - http://WilliamTasso.com
Klaus,
Presumably your company has some sort of "Code of Conduct" that
imposes restrictions and responsibilties on users of your computing
resources? I would strongly suspect that the actions of these "eager
users" of yours put them in breach of it. Such breaches, presumably,
also have penalties associated with them.
Find a copy of said C-of-C, and pass it across the desk of the
miscreant's *Manager*. If nothing else, they should wind up with
a lot more work to, so they won't have the /time/ to go "hacking"
your applications. ;-)
Regards,
Phill W.
"Klaus Ambrass" <ka*@it.stam.dk > wrote in message
news:Xn******** *************@2 12.88.64.226...
.. . . I write applications for my company's intraweb, and recently we've had
some eager users trying to get at some data they shouldn't.
.. . . --
Klaus Ambrass
IT - Storstrøms Amt
ka*@it.stam.dk
No you can't. But it isn't the ASP that you have to worry
about,...they never see the ASP since it is all "server-side". The
only thing that loads into the browser is "client-side" script and the
HTML. Your Form and the Hidden Fields are ultimately just HTML (not
ASP).
The form fields that are not "hidden" aren't any big deal since it is
no secret what those are anyway, but the hidden fields can be replaced
with Session Variables which they cannot see. This still doesn't
prevent them from recreating their own form and submitting it, but it
will limit them to only being able to use the normal visible fields
when they do it.
As long as you use content/error checking on the submited data using
server-side code to prevent erroneous data, they aren't going to be
able to do anything with their "custom" form that they wouln't have
done with your original form anyway, so their little deed doesn't hurt
anything.
I've had to do the same as they for legitimate reasons before. I had
to download a patch from a Vendor that used a Form and a ton of
"client-side" javascript that was so full or crap and screwed up that
the page wouln't run right and the Form wouldn't submit properly. The
only way to get my download was to gater the Form's Name, Method, and
Action and find all the Fields, then build my own extremely simple
HTML version of the Form and submit it to get my download. So nothing
was harmed and it was the only way around the worthless pile of crap
code that they had built the page with.
--
Phillip Windell [CCNA, MVP, MCP] pw******@wandtv .com
WAND-TV (ABC Affiliate) www.wandtv.com
"Klaus Ambrass" <ka*@it.stam.dk > wrote in message
news:Xn******** *************@2 12.88.64.226... Hi all,
I write applications for my company's intraweb, and recently we've
had some eager users trying to get at some data they shouldn't. The way they
did it was to look at the pages input tags and hidden fields to construct
their own URLs.
Aside from poor design (which is being changed) - how can I scramble
the page, so as the users can't simply use "View Source" from the menu?
Is there a switch or component I can activate/install i ASP, can I
change the ContentType or something else?
It need to not be totally secure, just enough to fend off the
nosiest of my user herd.
--
Klaus Ambrass
IT - Storstrøms Amt
ka*@it.stam.dk
"Klaus Ambrass" <ka*@it.stam.dk > wrote in message
news:Xn******** *************@2 12.88.64.226... Hi all,
I write applications for my company's intraweb, and recently we've had
some eager users trying to get at some data they shouldn't. The way they did it
was to look at the pages input tags and hidden fields to construct their
own URLs.
Aside from poor design (which is being changed) - how can I scramble the
page, so as the users can't simply use "View Source" from the menu? Is
there a switch or component I can activate/install i ASP, can I change the
ContentType or something else?
This is where the move to asp.NET comes in really handy. By storing things
in the ViewState that used to be in hidden inputs, and by relying on the
PostBack event to do the form submission, it is a lot harder to fake out an
asp.NET application with a GET string in the URL.
R.
do what the spammers do - put loads of html comment in the code
eg
1<!--OADASDHKJOASJDH-->2<!--123kljlASDUIOAD A-->3
will just print 123
"Klaus Ambrass" <ka*@it.stam.dk > wrote in message
news:Xn******** *************@2 12.88.64.226... Hi all,
I write applications for my company's intraweb, and recently we've had
some eager users trying to get at some data they shouldn't. The way they did it
was to look at the pages input tags and hidden fields to construct their
own URLs.
Aside from poor design (which is being changed) - how can I scramble the
page, so as the users can't simply use "View Source" from the menu? Is
there a switch or component I can activate/install i ASP, can I change the
ContentType or something else?
It need to not be totally secure, just enough to fend off the nosiest of
my user herd.
--
Klaus Ambrass
IT - Storstrøms Amt
ka*@it.stam.dk
Klaus Ambrass <ka*@it.stam.dk > wrote in
news:Xn******** *************@2 12.88.64.226:
Hi guys,
thanks for your input which was surprisingly diverse.
I will re-think my design and put the hidden fields in session-variables.
And the people who are too eager will have a talk with their manager(s).
Thanks for all your input.
--
Klaus Ambrass
IT - Storstrøms Amt ka*@it.stam.dk This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Chris Lasher |
last post by:
Hello,
I'm trying to write a tool to scrape through some of the Ribosomal
Database Project II's (http://rdp.cme.msu.edu/) pages, specifically,
through the Hierarchy Browser. (http://rdp.cme.msu.edu/hierarchy/)
The Hierarchy Browser is accessed first through a page with a form.
There are four fields with several options to be chosen from (Strain,
Source, Size, and Taxonomy) and then a submit button labeled "Browse".
The HTML of the form is...
|
by: Pete Wason |
last post by:
Hiall!
I have a demo viewer page for javascript stuff that has three buttons "DEMO"
"HTML" and "JSCR", and an IFRAME called 'viewer'.
Initially, the IFRAME gets loaded with the actual demo page, ie.,
viewer.location = dName + '.html';
where dName is the filename of the demo without extension.
|
by: Steve |
last post by:
Hi,
I am trying to do a very simple "encryption" of a text string in java
script. For instance, if the user enters : steve, I want to just
convert each character to its ASCII value and add 5 to each character,
then convert back to a string giving: "xyj{j" for this example.
is there a simple way to do this? any suggestions on functions I can
use would be greatful!
|
by: A.M |
last post by:
Hi,
There are web sites that it is not possible to save the site locally.
(File-> Save As... returns error)
How can i do that with my own pages.
Thanks,
Ali
|
by: Steve Hoyer |
last post by:
I am trying to deploy my first asp.net app to our webserver (2K server,
IIS 5)
My start page comes up and you can get to the subsequent pages that are
tied into our sql server (2K). Each page has a datagrid that loads up
just fine, but when I click on any link that updates the page, i.e. a
column header to sort the database, it returns a 404 error.
Any ideas why it works the for the inital load and not on a postback?
| | |
by: tshad |
last post by:
Is there a way to carry data that I have already read from the datagrid from
page to page?
I am looking at my Datagrid that I page through and when the user says get
the next page, I have to go to the database to get the next page. Is there
a way to use the dataset to allow us to read back and forth in it instead of
going back to the database to get it?
Thanks,
|
by: Jeremy S |
last post by:
What are some options for scrambling information in the QueryString.
Consider this URL for example:
SomePage.aspx?userid=15
I don't care if there is something in the querystring - I'd just prefer that
it's not obvious that a variable named is getting passed, and that
it has a value of 15.
|
by: bill |
last post by:
Is there a way to retrieve values from the viewstate in the previouspage
using cross page postback?
Thanks!
Bill
|
by: Vu Truong |
last post by:
Hello,
I try to use PostBackUrl to cross post between 2 pages on difference application.
At the first time, I press the button on source page. Check on target page, I see Request.Form is nothing and Request.HttpMethod is GET (not POST).
But if I don't close the browser, try to enter the URL of source page and press the button on source page again, I see, on target page, Request.Form is source page and Request.HttpMethod is POST. I try...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
