Results 1 to 13 of 13
-
04-24-2005, 02:59 AM #1Web Hosting Guru
- Join Date
- Jan 2003
- Location
- USA, FL
- Posts
- 253
Protectioning your HTML (Not by Encyption)
Every sence I became a web developer. I have always heard that there is not way to secure your html code. Even with encrypters you can get the html code of a website by using FireFox's Tools->Dom Inspecter. So this made me go back to the drawing board for a bit when i thought of the idea of putting the information within an iframe and seeing if there was a possible way to secure it. So, ever a bit of testing and dabbling with php, i finally think i have figured out a very secure way to protect your html code by putting it in an iframe which has basicly a security lock. Now my reason for posting this up here is to see if any of your other high tech computer guys can help me figure out is there any way to hack around this?
Here is alink to a real version of it:
http://o3de.com/frame1.php
I would like to see if anyone can brake it without knowing the code first and then ill paste the code to see if anyone can find flaws it in. I hope that if this works like everyone has always wanted then people will be willing to give me credit **smiles**
Anyways, give it a try. It is at this point just a low amount of security without encryption and just two variables. But its a start...
-
04-24-2005, 03:47 AM #2Aspiring Evangelist
- Join Date
- Sep 2004
- Location
- Uk
- Posts
- 423
Looks good Syphic.
-
04-24-2005, 03:51 AM #3Web Hosting Guru
- Join Date
- Jan 2003
- Location
- USA, FL
- Posts
- 253
Thank you.
I hope this can finally be the way to 100% protect HTML code.
-
04-24-2005, 03:53 AM #4Aspiring Evangelist
- Join Date
- Sep 2004
- Location
- Uk
- Posts
- 423
I haven't really tried that hard to get the code as i'm quite busy currently but it looks near - impossible
-
04-24-2005, 03:59 AM #5Web Hosting Master
- Join Date
- Jul 2004
- Posts
- 930
Damn lol i cant seem to get it, seems damn near impossible, but who would like an iframe on every page... seems like it would mess it up...
-
04-24-2005, 04:00 AM #6Junior Guru
- Join Date
- Sep 2003
- Posts
- 242
What code do you need to break? Do you want us to post the code of the PHP file, or the HTML code?
If that's the HTML code, then you are confirmed again that there's absolutely no way to protect it.
In you case, I just had a look and it seems that you checked for referer, which can be easily faked. But it doesn't need to be that hard, a simple View Source in IE could review the code???
Is this what you are looking for?
PHP Code:<html>
<head>
<title>Page 2</title>
</head>
<body>
<center><h1>Page two content</h1></center>
</body>
</html>
-
04-24-2005, 04:12 AM #7Web Hosting Guru
- Join Date
- Jan 2003
- Location
- USA, FL
- Posts
- 253
I did not have a referer in there. So what did you type in to make it go to it b/c if you copy the iframe name from the source and paste it, that should not allow you in either. Atleast every time I have tried?
Nevermind, I understand what you are saying now... Alright let me do one more thing to see if this protects the just random clicking on the Iframe lol....
Again, this is mostlikely an impossible challenge like all the ones before but me lets try this...
I am going to us css to put an invisiable image over the whole site page... heheheLast edited by Syphic; 04-24-2005 at 04:22 AM.
-
04-24-2005, 04:15 AM #8Web Hosting Guru
- Join Date
- Jan 2003
- Location
- USA, FL
- Posts
- 253
Here is the code for page one and page 2
Page 1
PHP Code:<?php session_start(); ?>
<html>
<head>
<title>iframe Securing Test</title>
</head>
<body>
<?php
$token = md5(uniqid(rand(), true));
$pass_a = rand(1,100);
$pass_b = rand(1,100);
$_SESSION['pass_a'] = $pass_a;
$_SESSION['pass_b'] = $pass_b;
echo '<iframe src="frame2.php?senda='.$pass_a.'&sendb='.$pass_b.'" width="100%" height="100%" scrollbar="no"></iframe>';
?>
</body>
</html>
PHP Code:<?php
session_start();
$pass_a = $pass_a;
$pass_b = $pass_b;
$spass_a = $_SESSION['pass_a'];
$spass_b = $_SESSION['pass_b'];
unset($_SESSION['pass_a']);
unset($_SESSION['pass_b']);
if($pass_a != $spass_a OR $pass_b != $spass_b OR !isset($pass_a) OR !isset($pass_b))
{
echo 'WRONG ACCESSED THIS PAGE<br>';
/*
echo $pass_a.'<br>';
echo $spass_a.'<br>';
echo '<br>';
echo $pass_b.'<br>';
echo $spass_b.'<br>';
*/
die();
}
else
{
/*
echo $pass_a.'<br>';
echo $spass_a.'<br>';
echo '<br>';
echo $pass_b.'<br>';
echo $spass_b.'<br>';
*/
}
?>
<html>
<head>
<title>Page 2</title>
</head>
<body>
<center><h1>Page two content</h1></center>
</body>
</html>Last edited by Syphic; 04-24-2005 at 04:18 AM.
-
04-24-2005, 05:12 AM #9Junior Guru
- Join Date
- Sep 2003
- Posts
- 242
.Frankly, as webmasters, we shouldn't waste our time on these sorts of things.
Your method can be easily bypassed by cookie manipulation & packet capture...
-
04-24-2005, 05:14 AM #10Web Hosting Guru
- Join Date
- Jan 2003
- Location
- USA, FL
- Posts
- 253
Yea, as the ones before us... its a waste of time to try.... lol but its fun to think about and to see if anyone else can break it and make sure its not something we have missed
-
04-24-2005, 08:30 AM #11PHP for breakfast
- Join Date
- May 2004
- Location
- Lansing, MI, USA
- Posts
- 1,548
The only real way I can see to do this would be to use javascript. Encode thehtml you want to display in some format that javascript can decode, and mainually write to document.innerHTML (I believe?). you could do it without the iframe as well.
Jacob - WebOnce Technologies - 30 Day 100% Satisfaction Guarantee - Over 5 Years Going Strong!
Website Hosting, PHP4&5, RoR, MySQL 5.0, Reseller Hosting, Development, and Designs
Powered By JAM - Professional Website Development - PHP, MySQL, JavaScript, AJAX - Projects Small & Large
-
04-24-2005, 09:07 AM #12Web Hosting Master
- Join Date
- Jan 2004
- Location
- /home/dislexik
- Posts
- 823
Originally posted by Syphic
Yea, as the ones before us... its a waste of time to try.... lol but its fun to think about and to see if anyone else can break it and make sure its not something we have missed"You don’t learn to hack, you hack to learn"
-
04-24-2005, 03:08 PM #13Web Hosting Guru
- Join Date
- Jan 2003
- Location
- USA, FL
- Posts
- 253
Originally posted by DislexiK
This kind of experimentation is what makes the greats, great.
But for all of you out that that are looking for ways to protect your html, from the research I have done there is none and if you dont beleive it. Here is a list of ideas that have been passed down and the way to break them.
HTML Protection Methods
1. Solution: Encrypt your HTML
Problem: Just get FireFox go to Tools->Dom Inspector and it shows you the source encrypted or not.
2. Solution: Put an iframe inside the window with random security passing variable checks. Add another iframe which will overlap overtop the iframe with the page in it to prevent just clicking in the window and seeing the page information (this can be done by IE).
Those are really the only two I can think of and at the moment I find the 2nd one the harder one to crack. But anyways another day another idea another dollar.
Back to the drawing boards if another solution comes about.