Solved

Security protection of iFrame

Posted on 2006-07-14
25
963 Views
Last Modified: 2008-02-07
Hi X-perts,

I need to achieve two things with the iFrame structure:

1. Prevent the code of iFrame from viewing
2. Prevent an iFrame from being called directly (not from the parent)

I am testing a simple code that seems to be working:

Parent page:

<?
session_start();
$_SESSION['map'] = 'mapping OK';
?>
<body>
<iframe src="q_child.php" width="100%" scrolling="no" frameborder="0" height="540"></iframe>
</body>


Child page:

<body>
<?
session_start();
echo 'session ID:'.$_SESSION['map'];
  if ($_SESSION['map'] == 'incorrect') {
    $go = 'index.php';
 header(sprintf("Location: %s", $go));    
  }
$_SESSION['map'] = 'incorrect';
?>
This is a test of q_child iframe - opened correctly from the parent
</body>
======================================
My questions are:

1. Is there any way to see the code of the q_child.php? If someone tryes to open it directly, it will jump to the index.php. If called from q_parent.php, there is only a iframe tag. Am I right that it is enouth protection from viewing for the child code?

2. Are there any tricks and pitfalls I should be aware of when using  sessions in the above code?  

Thanks

-A-
0
Comment
Question by:andy7789
  • 11
  • 8
  • 5
  • +1
25 Comments
 
LVL 14

Expert Comment

by:ThG
Comment Utility
> 1. Is there any way to see the code of the q_child.php? If someone tryes to open it directly, it will jump to the index.php. If called from q_parent.php, there is only a iframe tag. Am I right that it is enouth protection from viewing for the child code?

what do you mean with "iframe code"? the php code or the generated html code?

well it doesn't matter, i can reply to both cases:

a) if you are worried for php code, the iframe is useless as php code cannot be extracted from a properly configured server (i.e. some mis-configured servers might serve the raw php code instead of executing it, but it's not your case if you can see php working)

b) if you are worried for html/js/css code, give up. you can just right click the iframe to extract the inner code, you don't need to request it directly.
0
 

Author Comment

by:andy7789
Comment Utility
Obviously, I mean protection of html/js code. when I call q_parent.php, it opens a q_child page in its iframe, but right clicking on it gives only the q_parent source code, not the iframe. How can you get its code by right clicking?

0
 

Author Comment

by:andy7789
Comment Utility
Yes, you are right: ie shows a code of iframe, but firefox shoes a code of parent only. Aleast it provides a protection from opening an iframe from other page (not parent).
0
 

Author Comment

by:andy7789
Comment Utility
What about disabling righ clicking on a iframe?
0
 
LVL 14

Expert Comment

by:ThG
Comment Utility

no, i'm serious, give up. there is no way to protect html code. even those javascript unescape() hacks just take a few seconds to work around.

with mozilla when you right click on the iframe it shows a sub-context-menu called "This frame", and there "view source code". disabling right click is very poor, it works on IE only.

even if you create 1024 nested iframes to prevent user from viewing source from browser, you can still grab it with any web crawler software.

i'm sorry if i was crude..i just told you the facts. if you are really worried for your code you might try those javscript unescape() obfuscation.. maybe there is someone out there that ain't able to decode it.
0
 
LVL 5

Expert Comment

by:mnb93
Comment Utility
http://www.ioncube.com/html_encoder.php

BUT I cracked it, there is no 100% solution for protecting html code...
0
 

Author Comment

by:andy7789
Comment Utility
I am still keep trying and not 100% convinced that it is not impossible. The above iframe code (with session check up) gives me the following:

1. In Firefox, right click on show this Frame jumps back to the index.php and does not show the frame code.
2. In ie right click in iframe DOES show its source code, but it can fixed by two simple tricks:

a) instead of <iframe ....></iframe> put it as document.writeln('<iframe........></iframe>');
b) disable right click, so if someone disables jscript, iframe tag will not be written. If jscript is enabled, you cannot right click on the iframe.

What about this?
0
 
LVL 5

Expert Comment

by:mnb93
Comment Utility
Think about this:

How can the client get the code to run?
And when it gets the code just run ethereal to sniff the code...
0
 
LVL 5

Expert Comment

by:mnb93
Comment Utility
a) instead of <iframe ....></iframe> put it as document.writeln('<iframe........></iframe>');

Well I could just get the source of the iframe by going to it directly. (and spoofing referers is need be)
0
 

Author Comment

by:andy7789
Comment Utility
read my 1st post - you are missing the point. You cannot load the iframe directly as it checks the session variable. If loaded directly, it jumps immeduatelly to the parent page (index.php)
0
 
LVL 5

Expert Comment

by:mnb93
Comment Utility
I could just load the page without iframes (ie. frame free browser) get the iframe uri and then load it... done.
0
 

Author Comment

by:andy7789
Comment Utility
if you load the iframe directly (frame free browser or whatsoever) it chgecks

<?
session_start();
echo 'session ID:'.$_SESSION['map'];
  if ($_SESSION['map'] == 'incorrect' or $_SESSION['map'] != 'OK') {
    $go = 'index.php';
 header(sprintf("Location: %s", $go));    
  }
$_SESSION['map'] = 'incorrect';
?>

unless the session['map'] is set 'OK', it jumps to the index.php and does not load the iframe. I have been playing with it on a few browsers and it works just fine. You cannot load it directly unliss you know the code 'OK' to make your shell session

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 14

Accepted Solution

by:
ThG earned 500 total points
Comment Utility
> b) disable right click, so if someone disables jscript, iframe tag will not be written. If jscript is enabled, you cannot right click on the iframe.

LOL.. i admit you have fantasy. But really, what mozilla version are you running? i think since 1.0 it shows correctly the source of any kind of nested frame/iframe.

and ANYWAY i would just not bother with your tricks, usually when i need to grab such code i dump my network traffic while opening the site :-) i especially do that for SWF movies that load inner html.. those are REALLY tricky to get over.

Some other tricks for grabbing the code:
1) browse the local cache, you should be able to find the inner html page alone
2) "save" the external page, it should automatically save nested frames as well
3) disable javascript AFTER loading the iframe code.. i.e. after the document.write('<iframe...'); has been executed

but there are LOTS more..
0
 
LVL 5

Expert Comment

by:mnb93
Comment Utility
How can the browser load it if it doesn't know the "code"?

Because it does, which means that I could just dump the network traffic and get the source.
0
 

Author Comment

by:andy7789
Comment Utility
ThG
I can see that you have absolutely no ideas what you are talking about! when you are talking about firefox - just try to do it before say somethng with so great aplomb
0
 

Author Comment

by:andy7789
Comment Utility
sorry guys, I would prefer to talk with people who at least underastand the subject and how php session works
0
 
LVL 14

Expert Comment

by:ThG
Comment Utility
ROTLF!!!

You are right andy7789, go put some valuable information in your iframe code. nobody will be able to view that. And don't forget to tell us the site name hehehe.. well who cares? we don't have a clue about web devel, do we?
0
 
LVL 5

Expert Comment

by:mnb93
Comment Utility
Andy7789 Could you please tell us the site URI... so that we can prove to you that it just doesn't work?
0
 
LVL 7

Expert Comment

by:NetExpert
Comment Utility
andy7789:
Please understand that your session check only works in this case:
"User loads your parent page. It starts a session and return the page with nested iframe. User views parent page source and finds the iframe url. User then go DIRECTLY to child page without reference from parent page. Session is invalid and user receives index.php file."

However, as ThG, mnb93 and other have pointed out, there is a few ways to get over it. The fact is, when user loads your parent page, his/her browser must receive  the source code (HTML) of both parent and childe (iframe) page in order to displays their content. We don't have to go DIRECTLY to child page, we just need to explore what we have after a valid request to parent page (and got the iframe content displayed in the browser). First, Firefox has a few extensions that allow user to load the frame instead of just showing the parent code. Second, the child page is in the local cache - you can't see the source with Firefox doesn't mean that it's not there. Third, as data has to pass through your network card - whatever, we can try setting up a trap and capture it. Remember that we do not load the iframe directly, we just load the parent page (with a valid session) - then we already have the source code of the iframe.
0
 

Author Comment

by:andy7789
Comment Utility
Thank you, I understand exactly what you are saying, but it we are talking about different things. I mostly care about jscript code of the iFrame (not html text or pics). The way how I have done it and tested on a few different browsers gives me the following:

1. Capturing network stream gives you not the original jscript code but browsers' interpreted code with raw headers. I tried a few capturing programms and the best what I could get looks as

function S(a,b){return gc+a+(b?".gif":".png")}
var Ne=0;
function T(a,b,c,d){if(!T.sh){T.initConstants()}this.Oa=a;this.b=d;this.af=b;this.bf=c;this.va=false;this.Wa=new k(0,0);this.da=false;this.Hb=new k(0,0);this.Hh=oc(this,this.Yb);this.Ih=oc(this,this.Zb);this.Kh=oc(this,this.wb);if(x.s()){I(window,wa,this,this.fi)}this.Fa=[];this.jf(a)}
T.initConstants=function(){if(x.s()){this.draggableCursor="-moz-grab";this.draggingCursor="-moz-grabbing"}else{this.draggableCursor="url("+gc+

It looks as a decent obfuscated code (obviously not like using unescape()), and it would take more time to get into it than writing from scratch.

2. Saving the parent page in ie and Firefox gives a similar results in regard to jscript - it does not save the jscript html page, but something similar to the above. BTW, firefox convert all the jscript fiunctions to one .js file that is very difficult to read.

3. The same with cache of ie or ff. I have not seen a browser that would save jscript in the original code. have you?

What I am saying is simply this:

1. No one so far could suggest me the way how to get the iFrame original encoding (Jscript). Everything that ThG suggested just does not work, except dumping the network data, which again is not very helpful for decoding jscript code.

2. This way of protection jscript in child iframe looks better to me than just unescape() or similar tricks.

We are not talking here about absolute protection of html pages, but the way how to make it more difficult to steal, particularily jscript code, which is impossible to encrypt because it is direct browser interpreted code.

Another point is for ThG - usually people are more polite here, respect each other and not so arrogant. but it seems that this guy has a long way to go...
0
 
LVL 5

Expert Comment

by:mnb93
Comment Utility
You should read this: http://www.wired.com/news/technology/0,70179-0.html?tw=wn_index_2

Think about this:  How does the browser get the code? It requests it.
Thus if I couldn't monitor my traffic and do all the above suggestions, I could just code a [very] basic browser and steal your code.
0
 
LVL 5

Expert Comment

by:mnb93
Comment Utility
And I believe that ThG is a moderator, not that it make "flaming" any better. (ThG please note the quotation marks around "flaming")
0
 

Author Comment

by:andy7789
Comment Utility
You are right, but the way how the web page code is presented inside the browser and on the viewed web page are different. In a sense, any browser is interpreter, therefore the net traffic that you can capture is not the same as the view source. You are right about objects like pictures, swf files etc. What I am saying that damping the network traffic one can steal the "raw browser's" jscript code rather than the original code. Just make a simple excersise - dump some pages with ling jscript code and you will see how it looks like. Also, I have never stated that it is 100% protection. It may be cracked, but it takes more time than a trivial jscript obfuscation. ONly that.

Also, I do not care if someone a moderator or not. There should be always certain respect and culture in discussions. Is is even more applicable to moderators.
0
 
LVL 14

Expert Comment

by:ThG
Comment Utility

I'm not a moderator, I'm just a Page Editor. This makes me an expert before anything else. I don't think that my unpoliteness was worse than "go learn what is firefox".

Anyway, andy7789 still doesn't show us his very secret url. I can stop posting here, no problem, and I can let andy7789 live with his convitions that I know nothing about web devel, that's ok too. But please note that points 1,2,3 of his last comment are just generic assumptions that are valid for any html page, and i can't see how they are related to his fantastic iframe-session-trick.

Regards
0
 

Author Comment

by:andy7789
Comment Utility
ThG
This is the 1st time you are talking slightly closer to the appropriate tone. I am sure that you know a lot about web development; however, I am also quite sure that your tone and the way of talking to people is hardly acceptable here. We can argue about technical things, agree or disagree, but please, do not forget that this is not a pub or a dating chat.
I would be happy even to give you the points - very simply, because you have outlined a number of ways what people would do to grab the page code, while none of them really worked in my case and none have opened the page. Dumping the traffic is the only way I have found so far, unless someone gives me some other ideas. I am quite happy with it, as the captured jscript code is very difficult to reconstruct.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Both Easy and Powerful How easy is PHP? http://lmgtfy.com?q=how+easy+is+php (http://lmgtfy.com?q=how+easy+is+php)  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now