Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I am working on an online video training website and i want to make secure my videos so that no one can download the videos. Can any one help me how can i restrict video download, i have tried different HTML5 and javascript players but none of these are providing this feature.
You can store the video files outside of the web root or inside a restricted directory. A user logs into the web application normally. Then you have a server side script that checks the users permissions and opens the file for the user.
Alternatively if there is no login then the player can request a token from the web application. This token is then used to access the file only once. This is the best you can do, of course an attacker can still save the file. A user will always be able to do this until the end of time, because thats how the Internet works.
you can create the file name longest enough as permitted by server (applies to photos as well)...cannot be saved even from a smart phone...make sure the file name long enough. Then use this encrypter:
http://www.dynamicdrive.com/dynamicindex9/encrypter.htm
Blend in the new code into your html.
Finally use additional scripting to disable right click (search internet for this free script).
Stream the video.. Hide the root from the server there's many ways to do that. Encrypt the file do all the right clicks off when over the stream. And for the end choose a very rare format! A normal user will give up. An advanced user will get it no matter what!
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
Currently, our associates use a Mainframe application, but have to stop during the process to get information from the web. They begin to process a transaction, but once they get to a specific screen, they need to retrieve data from the web to determine the next steps. They stop and start a web browser, login to a site, copy and paste the data retrieved from the Mainframe application into the web browser and get the results from the web site. They then continue to process the transaction on the Mainframe. I would like to automate this. From the Mainframe, a PFkey is pressed, that starts a web browser. It would automatically log into the website (generic username and password), pass the specific data from the Mainframe (screen scrape) and show the results from the web browser. Any thoughts would be appreciated!
You don't indicate the mainframe runtime environment, but if the mainframe application is running in CICS, you may be able to use CICS APIs to access the web page in question. This would not be in a separate browser window but in the mainframe code.
This wouldn't be any easier than the path #SaggingRufus indicates. Parsing HTML can be interesting.
IBM's CICS Knowledge Center has the documentation for CICS APIs.
You can't really do that (at least not easily).
You would basically be looking at programming some form of VB script/macro that would interact with the terminal emulator (not the mainframe itself) and the web browser. I would probably advise against this. What really needs to happen here is find what exactly the requirement is. Why would they need this macro, and is there anyway that mainframe application can do coded to get information without the use of the browser. Like hitting a database or a file somewhere that contains the information it needs.
There is a product that will aid in building REST calls from existing mainframe applications to external REST services. It is called z/OS Connect. It provides the tooling to form the request and parse the response so you can execute the request as part of the application and not bother with the emulator. z/OS Connect supports CICS, IMS, MQ and DB2.
Its not free but it was designed to make what you want to do a lot easier.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I have this Wordpress page that a colleague of mine has been working on. The user has to be able to login in and upload some files. We are thinking about using this plugin for logging in
https://wordpress.org/plugins/profile-builder/
When logged in, the user has access to a page with a feature where he/she can select a file from his/her harddisk. The selected file should then be uploaded to an FTP server. When the upload is complete, the page should display a list of the files the user has already uploaded and have an option to delete each individual file.
I realise that this requires sending commands to the the FTP server (LIST, DELE, MKD etc).
I have considered making my on Node.js server and letting the server handle the FTP upload, but I am also thinking that there should be a Wordpress plugin for this. I have tried searching, but all I can find is instructions on how to use Wordpress' own FTP upload function to deploy a site, which is not particularly helpfull for me. Also, I don't have any experience with Wordpress, but have some web experience, so making sense of it shouldn't be difficult.
So have any of you guys done some similar before and maybe know a plugin? Or made your own server application for something like this?
Thank you.
Mains problems about upload by users in wp-upload is security, and the files type accepted by the wp uploader. It's better to use our own code, that sanitize the file following your parameters.
You can try:
https://wordpress.org/plugins/frontend-uploader/
or
https://wordpress.org/plugins/wp-file-upload/
Well this is fairly simple if you have some php skills. You dont even need any kind of ftp access. So here is a basic breakdown of how it should be done the "wordpress way".
1) Separate dashboard/user areas for different users (the page they see
after login)
Well its not a good idea to give users access to the backend/admin area and is not very user friendly as well, so you can look into theme-my-login plugin which does a great job of creating login pages and separate pages where users are redirected after login.
2) Then you need to have a upload area where users can upload the movies from their computer
For this you can look us wordpress attachment functions. You have functions for uploading, deleting etc. Just create a simple form and grab the uploaded file and pass them through these functions (you should look into sanitizing data properly / validation), you might also need to increase the size of uploaded files through php.ini etc.
wp_insert_attachment, wp_delete_attachment, wp_get_attachment_url
3) A repository of all movies uploaded by specific user
This is a piece of cake with user meta's. The above described attachment functions comes with action hooks, Hooks are like triggers that gets triggered when someone does some action. So once the attachment is uploaded, you can hook into that action and grab the id of the uploaded attachment, name of uploaded attachment etc and them save them to the logged in user's meta. Its better if you use an array of values and then encode them into json. This way a list of all user movies can be store in a single database entry, which would be very efficient.
For creating and updating user meta's you should this function update_user_meta, delete_user_meta, etc.
Now to show all movies by a user, you can use something like get_user_meta('movie_list')
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Recently I found a hardware device that can prevent bot attacks by changing html DOM elements on the fly The details are mentioned here
The html input element id and name and also form element action will be replaced with some random string before page is sent to client. After client submit, the hardware device replace its values with originals. So the server code will remain on change and bots can not work on fixed input name, id.
That was the total idea, BUT they also have claimed that this product can solve the man in the browser attack.
http://techxplore.com/news/2014-01-world-botwall.html :
Shape Security claims that the added code to a web site won't cause
any noticeable delays to the user interface (or how it appears) and
that it works against other types of attacks as well, such as account
takeover, and man-in-the-browser. They note that their approach works
because it deflects attacks in real time whereas code for botnets is
changed only when it installs (to change its signature).
Theoretically is it possible that some one can prevent the man in the browser attack at the server?!
Theoretically is it possible that some one can prevent the man in the browser attack at the server?!
Nope. Clearly the compromised client can do anything a real user can.
Making your pages more resistant to automation is potentially an arms race of updates and countermeasures. Obfuscation like this can at best make it annoying enough to automate your site that it's not worth it to the attacker—that is, you try to make yourself no longer the ‘low-hanging fruit’.
They note that their approach works because it deflects attacks in real time whereas code for botnets is changed only when it installs (to change its signature).
This seems pretty meaningless. Bots naturally can update their own code. Indeed banking trojans commonly update themselves to work around changes to account login pages. Unless the service includes live updates pushed out to the filter boxes to work around these updates, you still don't win.
(Such an Automation Arms Race As A Service would be an interesting proposition. However I would be worried about new obfuscation features breaking your applications. For example imagine what would happen for the noddy form-field-renaming example on the linked site if you have your own client-side scripts were relying on those names. Or indeed if your whole site was a client-side Single Page App, this would have no effect.)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
We're creating a new web app based in Node. As many apps do, we would like to restrict the number of users who sign up, so we can test and scale up smoothly. So, people would sign up (with an email address), and then when a batch of users are released (either manually or automatically), that batch would receive an email that would allow them to sign up.
I've seen this process a number of times on the user side, but have never been involved with building a beta queue system, so I'm not sure the best way to approach this from a architecture / code perspective. Some specific questions might be:
What would be the flow for signup from a Node perspective?
What might be the underlying data model?
For "time-released" or batch releases of users, what might be the best way to manage that or trigger it?
Are there are node modules that might help with this?
Any help appreciated.
I implemented something like this in a .Net / SQL Server setup.
Basically, the user table had a flag indicating that that user was a beta user and allowed access.
Then I modified the user authentication module to return a different error message indicating that the were signed up but they couldn't access the application yet. This would only show if they successfully authenticated like normal. You could also send them to a different landing page so it doesn't look like they used the wrong credentials.
Next you can provide an admin interface to kick off a script to set the beta flag on a batch of users. This should also trigger some type of notification to let the user know they have access.
For time released options, you could have something else trigger the batch script to set the flags, or have a monitor service that finds any users without access that signed up over X days ago.
I think a lot of this would need to be customized based on your application and when you want to release beta users. There are also some services out there that allow single sign-on and gather analytics about your beta users if you want to see more information without having to roll your own.
Hope this helps. It would be nice to see an actual module you could drop in and configure with your specific database, user model, and authentication / signup process.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
Tumblr allows users to edit the HTML and CSS of their blogs through a Templating system. In fact, it even allows users to include their own external scripts into their pages. Doing this obviously opens a lot of security holes for Tumblr; however, it's obviously doing fine. What's even more interesting is how Tumblr's team managed to do all these through a LAMP Stack before.
One thing that I found out through pinging different Tumblr sites is that the blog sites are dispersed through multiple servers.
Nonetheless, hacking the root of just one of those servers could compromise a ton of data. Furthermore, while some could argue that Tumblr may just be doing manual checks on each of its blogging sites, it still seems pretty risky and unpractical for Tumblr's team to do so because of the amount of data that Tumblr has. Because of this, I think there are still some aspects that checking manually hasn't covered yet, especially in terms of how Tumblr's team filters their user input before it enters their database.
My main question: How does Tumblr (or any other similar site) filter its user input and thereby, prevent hacking and exploits from happening?
What is Tumblr.
Tumblr is a microbloggin service, which lets its users to post multimedia and short text blogs on their website.
Formating and styling blog
Every blog service lets its user to edit and share the content. At the same time they also let their users to style their blog depending on what type of service they are providing.
For instance, A company blog can never have a garden image as its background and at the same time a shopkeeper can never show a beach image; unless they are present at that place or include such objects in their work.
What Tumblr. does
Well, they just keep checking the files for any error!
As a general bloggin platform. It is necessary to allow the users to upload and style them blogs. And at the same time it is a job for the company to keep the control of how their service is used!
So Tumblr. keeps a great note on these things. They also donot allow to upload files that infect the system, and are well-known to delete such accounts if anything fishy is caught!
Tumblr. allows the users to upload files and multimedia that is used to style the blog. They used a seperate platform where to save all such files! So when you upload it, it does not get executed on their system. They access it from the server or from the hard drive which these files are saved on and then provide you with the blog that includes those files.
What would I do
I would do the same, I would first upload and save the files on a seperate place, where if executed they donot harm my system if are infected by a virus. Not all the users upload virus. But once they do, you should use an antivirus system to detect and remove the virus and at the same time block that account.
I would have let the users to use my service, now its user's job to upload content and its my job to prevent hacking.
All this stuff (HTML/CSS/External scripts) does not run on Tumblr machines. So to them it does not matter. One is responsible for the stuff that runs on your own PC. As to Javascript it lives in a sandpit