Results 1 to 13 of 13
  1. #1
    Join Date
    Jan 2003
    Location
    USA, FL
    Posts
    253

    Protectioning your HTML (Not by Encyption)

    Every sence I became a web developer. I have always heard that there is not way to secure your html code. Even with encrypters you can get the html code of a website by using FireFox's Tools->Dom Inspecter. So this made me go back to the drawing board for a bit when i thought of the idea of putting the information within an iframe and seeing if there was a possible way to secure it. So, ever a bit of testing and dabbling with php, i finally think i have figured out a very secure way to protect your html code by putting it in an iframe which has basicly a security lock. Now my reason for posting this up here is to see if any of your other high tech computer guys can help me figure out is there any way to hack around this?

    Here is alink to a real version of it:
    http://o3de.com/frame1.php

    I would like to see if anyone can brake it without knowing the code first and then ill paste the code to see if anyone can find flaws it in. I hope that if this works like everyone has always wanted then people will be willing to give me credit **smiles**

    Anyways, give it a try. It is at this point just a low amount of security without encryption and just two variables. But its a start...

  2. #2
    Join Date
    Sep 2004
    Location
    Uk
    Posts
    423

  3. #3
    Join Date
    Jan 2003
    Location
    USA, FL
    Posts
    253
    Thank you.

    I hope this can finally be the way to 100% protect HTML code.

  4. #4
    Join Date
    Sep 2004
    Location
    Uk
    Posts
    423
    I haven't really tried that hard to get the code as i'm quite busy currently but it looks near - impossible

  5. #5
    Damn lol i cant seem to get it, seems damn near impossible, but who would like an iframe on every page... seems like it would mess it up...

  6. #6
    What code do you need to break? Do you want us to post the code of the PHP file, or the HTML code?
    If that's the HTML code, then you are confirmed again that there's absolutely no way to protect it.
    In you case, I just had a look and it seems that you checked for referer, which can be easily faked. But it doesn't need to be that hard, a simple View Source in IE could review the code???
    Is this what you are looking for?
    PHP Code:
    <html>
    <
    head>
    <
    title>Page 2</title>
    </
    head>

    <
    body>

    <
    center><h1>Page two content</h1></center>

    </
    body>

    </
    html

  7. #7
    Join Date
    Jan 2003
    Location
    USA, FL
    Posts
    253
    I did not have a referer in there. So what did you type in to make it go to it b/c if you copy the iframe name from the source and paste it, that should not allow you in either. Atleast every time I have tried?

    Nevermind, I understand what you are saying now... Alright let me do one more thing to see if this protects the just random clicking on the Iframe lol....

    Again, this is mostlikely an impossible challenge like all the ones before but me lets try this...

    I am going to us css to put an invisiable image over the whole site page... hehehe
    Last edited by Syphic; 04-24-2005 at 04:22 AM.

  8. #8
    Join Date
    Jan 2003
    Location
    USA, FL
    Posts
    253
    Here is the code for page one and page 2

    Page 1
    PHP Code:
    <?php session_start(); ?>

    <html>
    <head>
    <title>iframe Securing Test</title>
    </head>

    <body>

    <?php

    $token 
    md5(uniqid(rand(), true));

    $pass_a rand(1,100);
    $pass_b rand(1,100);
    $_SESSION['pass_a'] = $pass_a;
    $_SESSION['pass_b'] = $pass_b;

    echo 
    '<iframe src="frame2.php?senda='.$pass_a.'&sendb='.$pass_b.'" width="100%" height="100%" scrollbar="no"></iframe>';
    ?>

    </body>

    </html>
    Page 2

    PHP Code:
    <?php

    session_start
    ();

    $pass_a $pass_a;
    $pass_b $pass_b;
    $spass_a $_SESSION['pass_a'];
    $spass_b $_SESSION['pass_b'];

    unset(
    $_SESSION['pass_a']);
    unset(
    $_SESSION['pass_b']);

    if(
    $pass_a != $spass_a OR $pass_b != $spass_b OR !isset($pass_a) OR !isset($pass_b))
    {
        echo 
    'WRONG ACCESSED THIS PAGE<br>';
    /*
        echo $pass_a.'<br>';
        echo $spass_a.'<br>';
        echo '<br>';
        echo $pass_b.'<br>';
        echo $spass_b.'<br>';
    */
        
    die();
    }
    else
    {
    /*
        echo $pass_a.'<br>';
        echo $spass_a.'<br>';
        echo '<br>';
        echo $pass_b.'<br>';
        echo $spass_b.'<br>';
    */
    }

    ?>

    <html>
    <head>
    <title>Page 2</title>
    </head>

    <body>

    <center><h1>Page two content</h1></center>

    </body>

    </html>
    Any thoughts? btw the token part is not being used but is there to make it more secure later...
    Last edited by Syphic; 04-24-2005 at 04:18 AM.

  9. #9
    .Frankly, as webmasters, we shouldn't waste our time on these sorts of things.

    Your method can be easily bypassed by cookie manipulation & packet capture...

  10. #10
    Join Date
    Jan 2003
    Location
    USA, FL
    Posts
    253
    Yea, as the ones before us... its a waste of time to try.... lol but its fun to think about and to see if anyone else can break it and make sure its not something we have missed

  11. #11
    Join Date
    May 2004
    Location
    Lansing, MI, USA
    Posts
    1,548
    The only real way I can see to do this would be to use javascript. Encode thehtml you want to display in some format that javascript can decode, and mainually write to document.innerHTML (I believe?). you could do it without the iframe as well.
    Jacob - WebOnce Technologies - 30 Day 100% Satisfaction Guarantee - Over 5 Years Going Strong!
    Website Hosting, PHP4&5, RoR, MySQL 5.0, Reseller Hosting, Development, and Designs
    Powered By JAM - Professional Website Development - PHP, MySQL, JavaScript, AJAX - Projects Small & Large

  12. #12
    Join Date
    Jan 2004
    Location
    /home/dislexik
    Posts
    823
    Originally posted by Syphic
    Yea, as the ones before us... its a waste of time to try.... lol but its fun to think about and to see if anyone else can break it and make sure its not something we have missed
    This kind of experimentation is what makes the greats, great.
    "You don’t learn to hack, you hack to learn"

  13. #13
    Join Date
    Jan 2003
    Location
    USA, FL
    Posts
    253
    Originally posted by DislexiK
    This kind of experimentation is what makes the greats, great.
    Well, thank you for that comment. I greatly appreciate it. Its very true if you give up on an idea than it will never be solved and so when finding an idea that might just work its always good to atleast try it.

    But for all of you out that that are looking for ways to protect your html, from the research I have done there is none and if you dont beleive it. Here is a list of ideas that have been passed down and the way to break them.

    HTML Protection Methods

    1. Solution: Encrypt your HTML
    Problem: Just get FireFox go to Tools->Dom Inspector and it shows you the source encrypted or not.
    2. Solution: Put an iframe inside the window with random security passing variable checks. Add another iframe which will overlap overtop the iframe with the page in it to prevent just clicking in the window and seeing the page information (this can be done by IE).

    Those are really the only two I can think of and at the moment I find the 2nd one the harder one to crack. But anyways another day another idea another dollar.

    Back to the drawing boards if another solution comes about.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •