Hi everyone
I want to develop a button like 'facebook like button'.
I am going to use it on my website and thinking it to share as iframe like facebook but I cannot think its securty because someone can develop a script that can click on it automatically.
I thought a solution using sessions but I couldn't make an algorithm completely.
How can I disallow autoclicks and which solution is the best? It can be any language I just want algorithm.
Thanks, have a nice day.
Edited :
Think a website like facebook. I login facebook and I can click on like button on any website.
Move to a new page and allow the logged in user to confirm that they were the ones who clicked the like
button.
I'm not sure that there's a surefire way to prevent clickjacking or the type of fraud you're referring to, given that you want to place your button in an iframe.
See http://ha.ckers.org/blog/20081007/clickjacking-details/ for more info.
You can't prevent this, once you have generated the like button, the button can be access directly.
You just can protect yourself using client side defence technologies like Comitari supplies.
They have a free product that protects you against ClickJacking and LikeJacking attacks.
Related
I'm trying to integrate DocuSign to my website. With the DocuSign Power Form I'm kind of successful to integrate. When a button is clicked in my website user is redirected to the Docusign Power Form. But what I need to do is redirect the user back to my site once the signing is done.
Is it something I can do with the Power Form?
You can control where a user is directed after a PowerForm. It uses the values set under Preferences -> Features -> "In session landing pages". Typically these values are overridden when using the API but they do work for PowerForms.
Whether or not you should use PowerForms vs. API depends on your Use Case. For example, a very static document that you want anyone who visits your site to be able to sign could work. It's certainly a lot easier than API integration. However anything more complicated would probably be better solved through the API.
It is let reply but it can help for other guy's
Firstly you can choose direct way instead of email. but keep in mind email is more secure then direct way.
Then you can changed these landing pages from the Classic DocuSign Experience by going to Preferences, clicking Features under the Account Administration section and clicking the In-session Landing pages link under Advanced Options. You can enter your website link to redirect back to the website on each action such as completing the Power-form or declining to sign. When user submit the power-form it will redirect to your given website action.
I do not believe you can control the re-directs when you use a PowerForm. Instead, the optimized and recommended best-practice approach if you want to Embed DocuSign into your website or app is to use the DocuSign API and open the singing experience in an iFrame (or Webview if doing mobile).
Check out the DocuSign Developer Center where you can create a free developer sandbox and start using the APIs in minutes. Also make sure to check out the API Tools page under the Quick Start section where you'll find the API Walkthroughs with code samples. The bottom three explain Embedded Sending, Embedded Signing, and how to Embed the DocuSign Console itself.
https://www.docusign.com/developer-center/api-tools
Chose whichever language you need, copy the code, replace the variables at the top and run!
One situation that could apply to my question is when verifying my form using javascript. When the user doesn't fill all possible requirements, the submit button is disabled. If the user filled all required fields, the submit button is enabled, allowing the user to submit the form.
There is a browser feature called Developer Tools that can be accessed by pressing F12. This tool can make changes to the code to help developers debug their problem.
Developer Tools is not only for changing CSS, it also change the HTML values and javascript.
Does Browser Developer Tools can help a user/hacker enable the submit button without filling all the requirements first? Is it possible also to hack websites using Developer Tools?
Front end validations are more of a convenience rather than a security feature. You must have validations on the server side for data integrity and security. You can enable the Submit button and can submit the data by changing CSS/javascript on the browser. It will not be enough to hack website if the server side validations are in place.
Disclaimer: This is only for educational reasons, don't use this for practice as in lots of countries hacking is illegal (legal only if hacking was done due penetration testing or have permission)
Well actually this is possible to hack webpages using F12 which is Developer Tools.
If you have knowledge in Javascript and other website programming languages you can hack by making password and user generator. Then this generator will generate all possible list and using auto-fill hack and auto-submitter (you must create these too) you have chance to bypass security.
Don't do this! Seriously! Don't do this!
I should note, I'm not a chrome extension expert. However, I'm looking for some advice or high-level solution to a security concern I have with my chrome extension. I've searched quite a bit but can't seem to find a concrete answer.
The situation
I have a chrome extension that needs to have the user login to our backend server.
However, it was decided for design reasons that the default chrome popup balloon was undesirable. Thus I've used a modal dialog and jquery to make a styled popup that is injected with content scripts.
Hence, the popup is injected into the DOM o the page you are visiting.
The Problem
Everything works, however now that I need to implement login functionality I've noticed a vulnerability:
If the site we've injected our popup into knows the password fields ID they could run a script to continuously monitor the password and username field and store that data. Call me paranoid, but I see it as a risk. In fact, I wrote a mockup attack site that can correctly pull the user and password when entered into the given fields.
My devised solution
I took a look at some other chrome extensions, like Buffer, and noticed what they do is load their popup from their website and, instead, embed an iFrame which contains the popup in it. The popup would interact with the server inside the iframe.
My understanding is iframes are subject to same-origin scripting policies as other websites, but I may be mistaken.
As such, would do the same thing be secure?
TLDR
To simplify, if I embedded a https login form from our server into a given DOM, via a chrome extension, are there security concerns to password sniffing?
If this is not the best way to deal with chrome extension logins, do you have suggestions on what is? Perhaps there is a way to declare text fields that javascript can simply not interact with? Not too sure!
Thank you so much for your time! I will happily clarify anything required.
The Same origin policy does indeed protect the contents of the iframe from the main page.
However. There's no way for the user to know whether the iframe in the page belongs to your extension or not. A rogue page could copy your design and impersonate your extension, and ultimately steal the credentials.
The only secure way to get the user to input credentials is through a separate window, popup or tab.
Chrome offers an API to open a window with desired properties, which should be sufficiently flexible to meet your design requirements. See this example, which is also about getting a credentials in a popup window: https://stackoverflow.com/a/10341102/938089
I am working on a website related to physically/psychologically abused person.
There is an emergency exit button available all time so the user can click on it before the "aggressive" person enter the room where the computer is located.
When the user click on the emergency button, the user is automatically redirected to Google with a query like "cooking apple pie" (this is an example).
Also, we would like to hide our website from the browser history in case the aggressive person check the history of the abused person. I think this cannot be done technically.
At least, can we generate fake browsing history to justify to the aggressive person the time that the user was on our website?
I tried multiple things to simulate a "browsing" like using an iframe or an ajax query to another website but none populate the browser history.
Is this can be done?
Thank you for your input!
I think you may be focusing too much on the browser and computer that you do not control and not enough on the content and the server that you do control. How about taking a different approach? Why not generate the pages for the user on the fly? The links are only good once. If you click on the home button (your escape key) and the aggressive person looks in the history the attempt to access them a second time could be made to display the weather or lottery results or something innocuous, Focus on what you have control over.
Useful Technical Details
Removing/Preventing Back Button Click History
You can allow the user to browse throughout a webpage without building up a history trail on the back button by having them click exclusively on javascript: links. This would still not remove any of the visited websites from their full browser history, so it's not a full solution.
Here's an example HTML JavaScript link:
CLICK HERE TO ESCAPE!
If this is acceptable, you could build an inoffensive homepage from which the user could access the site that would use JavaScript to send them to the real website. Every link on that new website would have to be a javascript link. Disadvantages of this would be that they would no longer be able to use the back button to navigate and that JavaScript is 100% required for the site to function.
Sanitized History
Make sure you have inoffensive titles and icons for any pages in the site so if the user does not delete their browser history they will not grab the attention of the third party.
Preventing Access to Protected Content
One option you have is to disguise your website as something else by having the user log in before they are allowed to access any of the content. You could save their session/login data in such a way that it is cleared if they hit an escape button it is erased or reset. As part of the login page, you could give users an alternate password to type in that would redirect them to fake content if their abuser becomes suspicious enough to demand they log in.
The session/login information should never save between browser sessions and always have a short expiration period, to further reduce the chances of the abuser gaining access to the website.
Disguising the Site
Considerations
If you choose to disguise the site either on the homepage or behind a "fake" login, be very careful to choose something that makes sense and would not arouse suspicion or interest. You don't want the fake page to be some sort of game or anything that might pique the third party's interest.
You also don't want it to look so boring or mundane that the original user would be hard-pressed to explain their possibly frequent visits. It shouldn't be anything so specific that the third party would think twice about the original user visiting it though. For example, it might be suspicious if someone who does not enjoy the great outdoors were to be visiting a page on mountain biking.
It also can't do something like just redirect them to Google without explaining the fact that they had to log in to access it.
General Advice
Private Browsing
Multiple sources have suggested either educating your target audience in how to use IE's InPrivate Browsing mode, Firefox's Private Browsing mode, or Chrome's Incognito mode.
There unfortunately does not appear to be a way to prevent the browser from keeping the current page in its browsing history through JavaScript. It's possible there might be some sort of plug-in or third-party control which would enable this, but it's probably just easier to get your users to use a private browsing mode.
Clearing History
Clearing a user's web history would not be possible since browsers restrict websites from accessing or altering data on the user's computer directly. Since the user's browser history is part of this data it would be a security issue if any website could clear the history.
You should provide instructions to your users for pruning or clearing their browser history, whether on the website itself before they enter, or through whatever resource you showed them how to access your website.
Generating a Fake History
If you need to generate a fake list of visited websites, you can always create new tabs/windows for the users (or possibly iframes) at timed intervals with JavaScript, but the user would have to disable their popup blocker for this to take effect.
Further Reading
Here is a helpful article on creating a useful Quick Disguised Exit From A Website. This forum thread that I found it on also had some useful information, but it's likely you've already seen it.
At least, can we generate fake browsing history to justify to the aggressive person the time that the user was on our website?
Have you cosidered turning it around?
What if technically all your pages and its content are about something else. So it is the content you want to hide that's loaded in a special way, making it easier for you to avoid having it in the browser history.
So then it becomes about knowing when to load/show the special content.
Above said, it's very important what #Frédéric Hamidi said:
Just keep in mind that if the "aggressive" person has control over that computer or the network, nothing can really prevent him/her from installing loggers on the machine or analyzing network traffic.
IE's InPrivate Browsing mode, Firefox's Private Browsing mode, and Chrome's Incognito mode
I would recommend this to prevent the abuser from finding the secret site in the browsing history.
Also, opening a social networking site and letting the browsing history collect that would be an excellent and believable excuse for the time spent on the computer.
I am making a website for a band and i want to know if there is a possible option to add a wall to the website with a like button and reaction box like it is on facebook
i can not find this how to get this done ( i don't want to use a iframe more like a plugin that only show there post with likebutton and reaction option and so on
with other words copy paste the wall of the band page directly with all options to the website
with friendly greats
jorgen
What kind of website? Are you using some cms or building something by yourself? How should this "like" functionality behave?
To answer your question as general as it's asked: Yes it's possible.
If you're using a content management system you may want to search for a module that has such functionality.