Scramble page source - how?

"Klaus Ambrass" <ka*@it.stam.dk> wrote in message
news:Xn*********************@212.88.64.226...

Hi all,

I write applications for my company's intraweb, and recently we've had some eager users trying to get at some data they shouldn't. The way they did it
was to look at the pages input tags and hidden fields to construct their
own URLs.

Aside from poor design (which is being changed) - how can I scramble the
page, so as the users can't simply use "View Source" from the menu? Is
there a switch or component I can activate/install i ASP, can I change the
ContentType or something else?

It need to not be totally secure, just enough to fend off the nosiest of my user herd.

--
Klaus Ambrass

IT - Storstrøms Amt
ka*@it.stam.dk

It's not possible to scramble the HTML as the browser needs it in it's
original state in order to render the page.
You can make it more difficult for the user to view the source by
intercepting right-clicks in the page using JavaScript but AFAIK you cannot
disable the 'Source' option in the 'View' menu (in IE at least).
As it's on an intranet you could possibly make changes to each users machine
such as removing notepad? Further still, you might find there's something
you can do in policy editor or even IEAK?
I think the best solution is to make your code more secure, i.e.. limit max
characters on input fields, when posting form data use Request.Form("") and
not simply Request(""), be very careful if using dynamic SQL to prevent SQL
injection.
Also do some simple auditing such as storing the time,IPs,hostnames with
querystrings etc. so that you can work out who is doing what. You'll also be
able to get a lot of information from your web logs.
Just a thought, but I believe you can encrypt clientside VBScript. In which
case (providing all your users used IE) you could get your browser to
decrypt and output the HTML directly and therefore any source would simply
show gibberish to the user. If this is possible then a simple search on
google will give them the tools to decrypt the VBScript.

Anyways, a few possibilities/wild stabs in the dark.
Please let me know what you end up doing.

chopper

Klaus Ambrass wrote:

Aside from poor design (which is being changed) - how can I scramble
the page, so as the users can't simply use "View Source" from the
menu?
you can't

It need to not be totally secure, just enough to fend off the nosiest
of my user herd.

javascript - disable right click, but it won't take them long to work it
out.

--
William Tasso - http://WilliamTasso.com

Klaus,

Presumably your company has some sort of "Code of Conduct" that
imposes restrictions and responsibilties on users of your computing
resources? I would strongly suspect that the actions of these "eager
users" of yours put them in breach of it. Such breaches, presumably,
also have penalties associated with them.

Find a copy of said C-of-C, and pass it across the desk of the
miscreant's *Manager*. If nothing else, they should wind up with
a lot more work to, so they won't have the /time/ to go "hacking"
your applications. ;-)

Regards,
Phill W.
"Klaus Ambrass" <ka*@it.stam.dk> wrote in message
news:Xn*********************@212.88.64.226...
.. . .

I write applications for my company's intraweb, and recently we've had
some eager users trying to get at some data they shouldn't. .. . . --
Klaus Ambrass

IT - Storstrøms Amt
ka*@it.stam.dk

No you can't. But it isn't the ASP that you have to worry
about,...they never see the ASP since it is all "server-side". The
only thing that loads into the browser is "client-side" script and the
HTML. Your Form and the Hidden Fields are ultimately just HTML (not
ASP).

The form fields that are not "hidden" aren't any big deal since it is
no secret what those are anyway, but the hidden fields can be replaced
with Session Variables which they cannot see. This still doesn't
prevent them from recreating their own form and submitting it, but it
will limit them to only being able to use the normal visible fields
when they do it.

As long as you use content/error checking on the submited data using
server-side code to prevent erroneous data, they aren't going to be
able to do anything with their "custom" form that they wouln't have
done with your original form anyway, so their little deed doesn't hurt
anything.

I've had to do the same as they for legitimate reasons before. I had
to download a patch from a Vendor that used a Form and a ton of
"client-side" javascript that was so full or crap and screwed up that
the page wouln't run right and the Form wouldn't submit properly. The
only way to get my download was to gater the Form's Name, Method, and
Action and find all the Fields, then build my own extremely simple
HTML version of the Form and submit it to get my download. So nothing
was harmed and it was the only way around the worthless pile of crap
code that they had built the page with.

--

Phillip Windell [CCNA, MVP, MCP]
pw******@wandtv.com
WAND-TV (ABC Affiliate)
www.wandtv.com

"Klaus Ambrass" <ka*@it.stam.dk> wrote in message
news:Xn*********************@212.88.64.226...

Hi all,

I write applications for my company's intraweb, and recently we've had some eager users trying to get at some data they shouldn't. The way they did it was to look at the pages input tags and hidden fields to construct their own URLs.

Aside from poor design (which is being changed) - how can I scramble the page, so as the users can't simply use "View Source" from the menu? Is there a switch or component I can activate/install i ASP, can I change the ContentType or something else?

It need to not be totally secure, just enough to fend off the nosiest of my user herd.

--
Klaus Ambrass

IT - Storstrøms Amt
ka*@it.stam.dk

"Klaus Ambrass" <ka*@it.stam.dk> wrote in message
news:Xn*********************@212.88.64.226...

Hi all,

I write applications for my company's intraweb, and recently we've had some eager users trying to get at some data they shouldn't. The way they did it
was to look at the pages input tags and hidden fields to construct their
own URLs.

Aside from poor design (which is being changed) - how can I scramble the
page, so as the users can't simply use "View Source" from the menu? Is
there a switch or component I can activate/install i ASP, can I change the
ContentType or something else?

This is where the move to asp.NET comes in really handy. By storing things
in the ViewState that used to be in hidden inputs, and by relying on the
PostBack event to do the form submission, it is a lot harder to fake out an
asp.NET application with a GET string in the URL.

R.

do what the spammers do - put loads of html comment in the code
eg

1<!--OADASDHKJOASJDH-->2<!--123kljlASDUIOADA-->3

will just print 123


"Klaus Ambrass" <ka*@it.stam.dk> wrote in message
news:Xn*********************@212.88.64.226...

Hi all,

I write applications for my company's intraweb, and recently we've had some eager users trying to get at some data they shouldn't. The way they did it
was to look at the pages input tags and hidden fields to construct their
own URLs.

Aside from poor design (which is being changed) - how can I scramble the
page, so as the users can't simply use "View Source" from the menu? Is
there a switch or component I can activate/install i ASP, can I change the
ContentType or something else?

It need to not be totally secure, just enough to fend off the nosiest of my user herd.

--
Klaus Ambrass

IT - Storstrøms Amt
ka*@it.stam.dk

Klaus Ambrass <ka*@it.stam.dk> wrote in
news:Xn*********************@212.88.64.226:

Hi guys,

thanks for your input which was surprisingly diverse.
I will re-think my design and put the hidden fields in session-variables.
And the people who are too eager will have a talk with their manager(s).

Thanks for all your input.

--
Klaus Ambrass

IT - Storstrøms Amt
ka*@it.stam.dk