andy7789
asked on
Security protection of iFrame
Hi X-perts,
I need to achieve two things with the iFrame structure:
1. Prevent the code of iFrame from viewing
2. Prevent an iFrame from being called directly (not from the parent)
I am testing a simple code that seems to be working:
Parent page:
<?
session_start();
$_SESSION['map'] = 'mapping OK';
?>
<body>
<iframe src="q_child.php" width="100%" scrolling="no" frameborder="0" height="540"></iframe>
</body>
Child page:
<body>
<?
session_start();
echo 'session ID:'.$_SESSION['map'];
if ($_SESSION['map'] == 'incorrect') {
$go = 'index.php';
header(sprintf("Location: %s", $go));
}
$_SESSION['map'] = 'incorrect';
?>
This is a test of q_child iframe - opened correctly from the parent
</body>
==========================
My questions are:
1. Is there any way to see the code of the q_child.php? If someone tryes to open it directly, it will jump to the index.php. If called from q_parent.php, there is only a iframe tag. Am I right that it is enouth protection from viewing for the child code?
2. Are there any tricks and pitfalls I should be aware of when using sessions in the above code?
Thanks
-A-
I need to achieve two things with the iFrame structure:
1. Prevent the code of iFrame from viewing
2. Prevent an iFrame from being called directly (not from the parent)
I am testing a simple code that seems to be working:
Parent page:
<?
session_start();
$_SESSION['map'] = 'mapping OK';
?>
<body>
<iframe src="q_child.php" width="100%" scrolling="no" frameborder="0" height="540"></iframe>
</body>
Child page:
<body>
<?
session_start();
echo 'session ID:'.$_SESSION['map'];
if ($_SESSION['map'] == 'incorrect') {
$go = 'index.php';
header(sprintf("Location: %s", $go));
}
$_SESSION['map'] = 'incorrect';
?>
This is a test of q_child iframe - opened correctly from the parent
</body>
==========================
My questions are:
1. Is there any way to see the code of the q_child.php? If someone tryes to open it directly, it will jump to the index.php. If called from q_parent.php, there is only a iframe tag. Am I right that it is enouth protection from viewing for the child code?
2. Are there any tricks and pitfalls I should be aware of when using sessions in the above code?
Thanks
-A-
ASKER
Obviously, I mean protection of html/js code. when I call q_parent.php, it opens a q_child page in its iframe, but right clicking on it gives only the q_parent source code, not the iframe. How can you get its code by right clicking?
ASKER
Yes, you are right: ie shows a code of iframe, but firefox shoes a code of parent only. Aleast it provides a protection from opening an iframe from other page (not parent).
ASKER
What about disabling righ clicking on a iframe?
no, i'm serious, give up. there is no way to protect html code. even those javascript unescape() hacks just take a few seconds to work around.
with mozilla when you right click on the iframe it shows a sub-context-menu called "This frame", and there "view source code". disabling right click is very poor, it works on IE only.
even if you create 1024 nested iframes to prevent user from viewing source from browser, you can still grab it with any web crawler software.
i'm sorry if i was crude..i just told you the facts. if you are really worried for your code you might try those javscript unescape() obfuscation.. maybe there is someone out there that ain't able to decode it.
http://www.ioncube.com/html_encoder.php
BUT I cracked it, there is no 100% solution for protecting html code...
BUT I cracked it, there is no 100% solution for protecting html code...
ASKER
I am still keep trying and not 100% convinced that it is not impossible. The above iframe code (with session check up) gives me the following:
1. In Firefox, right click on show this Frame jumps back to the index.php and does not show the frame code.
2. In ie right click in iframe DOES show its source code, but it can fixed by two simple tricks:
a) instead of <iframe ....></iframe> put it as document.writeln('<iframe.
b) disable right click, so if someone disables jscript, iframe tag will not be written. If jscript is enabled, you cannot right click on the iframe.
What about this?
1. In Firefox, right click on show this Frame jumps back to the index.php and does not show the frame code.
2. In ie right click in iframe DOES show its source code, but it can fixed by two simple tricks:
a) instead of <iframe ....></iframe> put it as document.writeln('<iframe.
b) disable right click, so if someone disables jscript, iframe tag will not be written. If jscript is enabled, you cannot right click on the iframe.
What about this?
Think about this:
How can the client get the code to run?
And when it gets the code just run ethereal to sniff the code...
How can the client get the code to run?
And when it gets the code just run ethereal to sniff the code...
a) instead of <iframe ....></iframe> put it as document.writeln('<iframe.
Well I could just get the source of the iframe by going to it directly. (and spoofing referers is need be)
Well I could just get the source of the iframe by going to it directly. (and spoofing referers is need be)
ASKER
read my 1st post - you are missing the point. You cannot load the iframe directly as it checks the session variable. If loaded directly, it jumps immeduatelly to the parent page (index.php)
I could just load the page without iframes (ie. frame free browser) get the iframe uri and then load it... done.
ASKER
if you load the iframe directly (frame free browser or whatsoever) it chgecks
<?
session_start();
echo 'session ID:'.$_SESSION['map'];
if ($_SESSION['map'] == 'incorrect' or $_SESSION['map'] != 'OK') {
$go = 'index.php';
header(sprintf("Location: %s", $go));
}
$_SESSION['map'] = 'incorrect';
?>
unless the session['map'] is set 'OK', it jumps to the index.php and does not load the iframe. I have been playing with it on a few browsers and it works just fine. You cannot load it directly unliss you know the code 'OK' to make your shell session
<?
session_start();
echo 'session ID:'.$_SESSION['map'];
if ($_SESSION['map'] == 'incorrect' or $_SESSION['map'] != 'OK') {
$go = 'index.php';
header(sprintf("Location: %s", $go));
}
$_SESSION['map'] = 'incorrect';
?>
unless the session['map'] is set 'OK', it jumps to the index.php and does not load the iframe. I have been playing with it on a few browsers and it works just fine. You cannot load it directly unliss you know the code 'OK' to make your shell session
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How can the browser load it if it doesn't know the "code"?
Because it does, which means that I could just dump the network traffic and get the source.
Because it does, which means that I could just dump the network traffic and get the source.
ASKER
ThG
I can see that you have absolutely no ideas what you are talking about! when you are talking about firefox - just try to do it before say somethng with so great aplomb
I can see that you have absolutely no ideas what you are talking about! when you are talking about firefox - just try to do it before say somethng with so great aplomb
ASKER
sorry guys, I would prefer to talk with people who at least underastand the subject and how php session works
ROTLF!!!
You are right andy7789, go put some valuable information in your iframe code. nobody will be able to view that. And don't forget to tell us the site name hehehe.. well who cares? we don't have a clue about web devel, do we?
You are right andy7789, go put some valuable information in your iframe code. nobody will be able to view that. And don't forget to tell us the site name hehehe.. well who cares? we don't have a clue about web devel, do we?
Andy7789 Could you please tell us the site URI... so that we can prove to you that it just doesn't work?
andy7789:
Please understand that your session check only works in this case:
"User loads your parent page. It starts a session and return the page with nested iframe. User views parent page source and finds the iframe url. User then go DIRECTLY to child page without reference from parent page. Session is invalid and user receives index.php file."
However, as ThG, mnb93 and other have pointed out, there is a few ways to get over it. The fact is, when user loads your parent page, his/her browser must receive the source code (HTML) of both parent and childe (iframe) page in order to displays their content. We don't have to go DIRECTLY to child page, we just need to explore what we have after a valid request to parent page (and got the iframe content displayed in the browser). First, Firefox has a few extensions that allow user to load the frame instead of just showing the parent code. Second, the child page is in the local cache - you can't see the source with Firefox doesn't mean that it's not there. Third, as data has to pass through your network card - whatever, we can try setting up a trap and capture it. Remember that we do not load the iframe directly, we just load the parent page (with a valid session) - then we already have the source code of the iframe.
Please understand that your session check only works in this case:
"User loads your parent page. It starts a session and return the page with nested iframe. User views parent page source and finds the iframe url. User then go DIRECTLY to child page without reference from parent page. Session is invalid and user receives index.php file."
However, as ThG, mnb93 and other have pointed out, there is a few ways to get over it. The fact is, when user loads your parent page, his/her browser must receive the source code (HTML) of both parent and childe (iframe) page in order to displays their content. We don't have to go DIRECTLY to child page, we just need to explore what we have after a valid request to parent page (and got the iframe content displayed in the browser). First, Firefox has a few extensions that allow user to load the frame instead of just showing the parent code. Second, the child page is in the local cache - you can't see the source with Firefox doesn't mean that it's not there. Third, as data has to pass through your network card - whatever, we can try setting up a trap and capture it. Remember that we do not load the iframe directly, we just load the parent page (with a valid session) - then we already have the source code of the iframe.
ASKER
Thank you, I understand exactly what you are saying, but it we are talking about different things. I mostly care about jscript code of the iFrame (not html text or pics). The way how I have done it and tested on a few different browsers gives me the following:
1. Capturing network stream gives you not the original jscript code but browsers' interpreted code with raw headers. I tried a few capturing programms and the best what I could get looks as
function S(a,b){return gc+a+(b?".gif":".png")}
var Ne=0;
function T(a,b,c,d){if(!T.sh){T.ini
T.initConstants=function()
It looks as a decent obfuscated code (obviously not like using unescape()), and it would take more time to get into it than writing from scratch.
2. Saving the parent page in ie and Firefox gives a similar results in regard to jscript - it does not save the jscript html page, but something similar to the above. BTW, firefox convert all the jscript fiunctions to one .js file that is very difficult to read.
3. The same with cache of ie or ff. I have not seen a browser that would save jscript in the original code. have you?
What I am saying is simply this:
1. No one so far could suggest me the way how to get the iFrame original encoding (Jscript). Everything that ThG suggested just does not work, except dumping the network data, which again is not very helpful for decoding jscript code.
2. This way of protection jscript in child iframe looks better to me than just unescape() or similar tricks.
We are not talking here about absolute protection of html pages, but the way how to make it more difficult to steal, particularily jscript code, which is impossible to encrypt because it is direct browser interpreted code.
Another point is for ThG - usually people are more polite here, respect each other and not so arrogant. but it seems that this guy has a long way to go...
1. Capturing network stream gives you not the original jscript code but browsers' interpreted code with raw headers. I tried a few capturing programms and the best what I could get looks as
function S(a,b){return gc+a+(b?".gif":".png")}
var Ne=0;
function T(a,b,c,d){if(!T.sh){T.ini
T.initConstants=function()
It looks as a decent obfuscated code (obviously not like using unescape()), and it would take more time to get into it than writing from scratch.
2. Saving the parent page in ie and Firefox gives a similar results in regard to jscript - it does not save the jscript html page, but something similar to the above. BTW, firefox convert all the jscript fiunctions to one .js file that is very difficult to read.
3. The same with cache of ie or ff. I have not seen a browser that would save jscript in the original code. have you?
What I am saying is simply this:
1. No one so far could suggest me the way how to get the iFrame original encoding (Jscript). Everything that ThG suggested just does not work, except dumping the network data, which again is not very helpful for decoding jscript code.
2. This way of protection jscript in child iframe looks better to me than just unescape() or similar tricks.
We are not talking here about absolute protection of html pages, but the way how to make it more difficult to steal, particularily jscript code, which is impossible to encrypt because it is direct browser interpreted code.
Another point is for ThG - usually people are more polite here, respect each other and not so arrogant. but it seems that this guy has a long way to go...
You should read this: http://www.wired.com/news/technology/0,70179-0.html?tw=wn_index_2
Think about this: How does the browser get the code? It requests it.
Thus if I couldn't monitor my traffic and do all the above suggestions, I could just code a [very] basic browser and steal your code.
Think about this: How does the browser get the code? It requests it.
Thus if I couldn't monitor my traffic and do all the above suggestions, I could just code a [very] basic browser and steal your code.
And I believe that ThG is a moderator, not that it make "flaming" any better. (ThG please note the quotation marks around "flaming")
ASKER
You are right, but the way how the web page code is presented inside the browser and on the viewed web page are different. In a sense, any browser is interpreter, therefore the net traffic that you can capture is not the same as the view source. You are right about objects like pictures, swf files etc. What I am saying that damping the network traffic one can steal the "raw browser's" jscript code rather than the original code. Just make a simple excersise - dump some pages with ling jscript code and you will see how it looks like. Also, I have never stated that it is 100% protection. It may be cracked, but it takes more time than a trivial jscript obfuscation. ONly that.
Also, I do not care if someone a moderator or not. There should be always certain respect and culture in discussions. Is is even more applicable to moderators.
Also, I do not care if someone a moderator or not. There should be always certain respect and culture in discussions. Is is even more applicable to moderators.
I'm not a moderator, I'm just a Page Editor. This makes me an expert before anything else. I don't think that my unpoliteness was worse than "go learn what is firefox".
Anyway, andy7789 still doesn't show us his very secret url. I can stop posting here, no problem, and I can let andy7789 live with his convitions that I know nothing about web devel, that's ok too. But please note that points 1,2,3 of his last comment are just generic assumptions that are valid for any html page, and i can't see how they are related to his fantastic iframe-session-trick.
Regards
ASKER
ThG
This is the 1st time you are talking slightly closer to the appropriate tone. I am sure that you know a lot about web development; however, I am also quite sure that your tone and the way of talking to people is hardly acceptable here. We can argue about technical things, agree or disagree, but please, do not forget that this is not a pub or a dating chat.
I would be happy even to give you the points - very simply, because you have outlined a number of ways what people would do to grab the page code, while none of them really worked in my case and none have opened the page. Dumping the traffic is the only way I have found so far, unless someone gives me some other ideas. I am quite happy with it, as the captured jscript code is very difficult to reconstruct.
This is the 1st time you are talking slightly closer to the appropriate tone. I am sure that you know a lot about web development; however, I am also quite sure that your tone and the way of talking to people is hardly acceptable here. We can argue about technical things, agree or disagree, but please, do not forget that this is not a pub or a dating chat.
I would be happy even to give you the points - very simply, because you have outlined a number of ways what people would do to grab the page code, while none of them really worked in my case and none have opened the page. Dumping the traffic is the only way I have found so far, unless someone gives me some other ideas. I am quite happy with it, as the captured jscript code is very difficult to reconstruct.
what do you mean with "iframe code"? the php code or the generated html code?
well it doesn't matter, i can reply to both cases:
a) if you are worried for php code, the iframe is useless as php code cannot be extracted from a properly configured server (i.e. some mis-configured servers might serve the raw php code instead of executing it, but it's not your case if you can see php working)
b) if you are worried for html/js/css code, give up. you can just right click the iframe to extract the inner code, you don't need to request it directly.