Geek Answers Handbook

How to prevent html / javascript code modification

I would like to know if there is a way to prevent changing the html page from jQuery or javascript in order to change its behavior.

The user can change it using tools such as FireBug or the Google Chrome developer panel to hide or show divs, add event listeners to page elements, etc.

I saw some web pages showing a blocking div when the page is loaded, and a pop-up message to answer some question. If you answer this, the div is hidden and you can see the page in normal mode. But if you try to hide the blocking div using FireBug, the page will reload, and there is no way to see the page correctly if you do not ask the question asked in the pop-up window.

I want to know how I can prevent the user from doing such things.

Thank you very much.

+4
source share
8 answers

This is impossible (which is very good).

+7
source

To defeat the method described in the question:

  • You can use keyboard shortcuts for console / tools ( Ctrl + Shift + I in Chrome)
  • You can use the resource / network panel to see the source
  • You can see this at any other level, for example. Violinist
  • You can use the bookmarklet to simplify access.

No , you cannot prevent people from seeing or changing your source / script if they want ... those that you most want to prevent are most able to circumvent any deterrent (and that all you do is a deterrent, not stop) that you put in place.

+5
source

The only way to do this (in my opinion) is not to load the contents of the page until the user performs the required actions. After he answers the question (or something else), you send an AJAX request for the content (of course, as thejh said, you should also check the answer on the server, preferably in the same request). Thus, you load the page title, banners and everything that is not critical, but the actual content (for example, a blog article) should not be downloaded until the user performs your actions.

Everything that the user’s browser receives is up to the user, so you cannot force anything.

+4
source

As others have said, it’s impossible to control what the end user does with the data you send them.

You might find a console object that uses Firebug and others, but what can your site do with this information after receiving it? You cannot disable firebug or not use it or even know if it was used.

The bottom line is that after the webpage and javscript code have been sent to the browser, it is not under your control.

The closest thing you can do to what you want is to move part of your code from Javascript and to the server where the user will be inviolable. However, you still have to have some kind of client code that will still be dominated by malicious users.

Another alternative is to switch to Flash or something similar when the end user does not have direct access to the code or object model. This has its own drawbacks, though, and you will be promoting a trend that should move from Flash to HTML5 and Javascript.

+2
source

Of course, you cannot stop someone from doing what they want, but you can make change more difficult.

Take a look at DOMEvents , especially Mutation-Events. This gives you the opportunity to see when something has changed (attributes, deleted / inserted nodes, data in text nodes ...). For example, you can create a function that keeps track of some special attributes that you will not need to change and reload the page if that happens.

+2
source

It's impossible. When you send the code to the client, the client can view it and change it. Only code that runs on your server is protected by an aganist.

+1
source

I do not think that this can be done if you cannot convince (or force) users to use browsers that do not have a developer tool.

0
source

Use ajax to receive remote information, do not send the user all information, such as answers to polls, etc., get an answer after he has selected a choice from the server, for example, using ajax. Client-side validation is never good, damn it, as I used to delete other stupid people’s databases because of this, if people don’t learn how things really REALLY work, they should learn in such a difficult way, how to lose everything in case root access vulnerabilities.

I don’t know why HTML should be blocked, it wasn’t blocked, since the browsers came out so that it could make my own browser using a socket and transfer the HTML directly to the text box and see it in my favorite notepad / editor, etc. .

As for javascript, you can just send javascript commands to the address bar of the browser (how convenient browsers are in supporting hackers hehe, but it is also used to interact with other technologies such as flash, so it has an evil / good side like everyone else .)

If you didn’t know you could just do

 javascript: alert('hi');

or if your javascript game or something else has globally modified variables, you can easily change them.

 javascript: score=9999;damage=99999;

etc. etc., for example, I said that all this is good, that he will frustrate bad programmers and get them laid off or teach them a lesson in the future.

I saw how many large sites still fall for a SIMPLE XSS attack (cross-site scripting) that just puzzles how these programmers get the job done, I would do a better interview or some shit is ridiculous

0
source

More articles:


All Articles