Using ASP code technology to protect the original author DHTML Source: Panasonic customer 01-5-25 01:52:57 PM
DHTML makes us develop a powerful web application client, which has features that cross-browser compatibility, interactive and portable. Its disadvantage is that users can directly view JavaScript code. This article describes how to use ASP technology to protect DHTML code to prevent someone from stealing your DHTML code.
Traditional protection technology
It is well known that the Web is essentially an insecure medium. When the user accesses the web app or open the web page, all client's code (HTML, JavaScript source file, and CSS style) generally download to the client buffer. Users only need to click "View Source File" to view, analyze, and copy these code.
MSDN extracts some of the contents of the Wrox "Instant JavaScript", which points out several ways to protect JavaScript code, please refer to here.
The client JavaScript code protection method can be divided into the following categories:
a) Microsoft method: Microsoft solves the client source code protection issue by issuing Windows Script Engine Version 5.0. The source code is encoded by an ActiveX layer (not encrypted). See Script Encoding With The Microsoft Script Engine Version 5.0.
The disadvantage of this method is that only IE 5.0 encoded is only IE 5.0 , and they frankly admit that the encoding process is not easy. If you are using other browsers (including earlier versions of the IE browser), you cannot access script code through your browser.
b) Code Obfuscation: Some sharing software, such as Jammer, and JMyth, attempting to make the code difficult to read, let the variable name make someone to steal the JavaScript code. The disadvantage of this approach is that any determined programmer can easily break this protection with global search and replacement tools, as this only needs to change the meaning of the implicit variable name to a meaningful variable name. For more description of Jammer, see here.
c) Encryption: There are many scenarios, tools can effectively encrypt JavaScript code. The most important issue of encrypting client JavaScript code is that the script code used to decrypt is often easily achieved, resulting in the implementation of reverse project to the code. Obviously, this approach cannot prevent any serious programmers from get the source code. Although we can use Java as an intermediate tool for encryption and decryption, the applet will add unnecessary additional loads to the web page, and it will not function properly because the browser uses the Java virtual machine version. Relatively speaking, DHTML means fast, small, general and portable.
A new method
When testing WML (Wireless Markup Language), I thought of a new way to protect client source code. On the ASP-based WML page, the server-side code will have the following:
<% Response.contentType = "text / vnd.wap.wml"%>
"http://www.wapforum.org/dtd/wml_1.1.xml">
......
It can be seen that we first sent a WML head to make the wireless browser considered that the ASP page was actually a WML page. This technique can also be used to protect the JavaScript source file (.js file).
Netscape introduces support for JavaScript source files with the release of JavaScript 1.2. Most of the browsers that support this version JavaScript support JavaScript source files (Internet Explorer 3.0 , Netscape 3.0 , and Opera 5.0). Dynamic HTML (DHTML) is composed of JavaScript and CSS. The CSS style enables developers to freely represent various page elements in the browser window, while JavaScript provides the necessary functions of the browser itself. JavaScript is a key component of DHTML.
Below we will explain this new DHTML source code protection method. This example involves three files: Index.asp, JS.ASP, and Global.asa. Global.asa defines an Auth session variable that is used to verify that the page origin of the request JavaScript source file is legal. The reason for choosing a session variable here is that it is relatively convenient.
Global.asa
SUB session_onstart
Session ("auth") = false
End Sub
I have tried the HTTP_REFERER system variable to verify whether the origin of the requested page is legal, and then discovered that this variable can be faked through Telnet, and some browsers cannot correctly display the http_referer variable when running.
Index.asp
<% Session ("auth") = true
Response.expires = 0
Response.expiresabsolute = now () - 1
Response.addheader "Pragma", "NO-CACHE"
Response.addheader "Cache-Control", "Private"
Response.cachecontrol = "no-cache"
%>
Test Page </ Title></p>
<p><script language = "javaScript" type = "text / javascript" src = "js.asp"> </ script></p>
<p></ hEAD></p>
<p><body></p>
<p><script language = "javascript"> test (); </ script></p>
<p><br></p>
<p><a href = "index.asp"> reload </ a></p>
<p></ body></p>
<p></ html></p>
<p></p>
<p>Let's take a look at INDEX.ASP. First, the program sets the Auth session variable to "True", which means the page of the request .js file should be trusted. The next few Response calls prevent the browser to cache the Index.asp page.</p>
<p>Generally, the syntax of the JavaScript source file in the HTML file is as follows:</p>
<p></p>
<p><script language = "javascript" src = "Yourscript.js"> </ script> </p>
<p>But in this case, we call it is an ASP page instead of the JavaScript source file:</p>
<p></p>
<p><script language = "javaScript" type = "text / javascript" src = "js.asp"> </ script></p>
<p></p>
<p>If you want to obscure the application is requesting the ASP page, you can rename the js.asp to index.asp (or default.asp), then put this file into a separate directory, such as "/ js /", this This line of code is changed to:</p>
<p></p>
<p><script language = "javaScript" type = "text / javascript" src = "/ js /"> </ script></p>
<p></p>
<p>This is almost able to confuse any people who try to get JavaScript source files. However, please don't forget the name of the default page file correctly in the IIS server configuration.</p>
<p></p>
<p>js.asp</p>
<p></p>
<p><%</p>
<p>IF session ("auth") = True Then</p>
<p>Response.contentType = "Application / X-JavaScript"</p>
<p>Response.expires = 0</p>
<p>Response.expiresabsolute = now () - 1</p>
<p>Response.addheader "Pragma", "NO-CACHE"</p>
<p>Response.addheader "Cache-Control", "Private"</p>
<p>Response.cachecontrol = "no-cache"</p>
<p>Session ("auth") = false</p>
<p>%></p>
<p>Function test () {</p>
<p>Document.write ('This is the output of the JavaScript function.');</p>
<p>}</p>
<p><% ELSE%></p>
<p><! - These code is protected by copyright. All rights reserved -></p>
<p><% End if%></p>
<p></p>
<p>Let's analyze how JS.asp verify and send JavaScript code. The program first checks the conversation variable auth to see if the origin of the request is legal. If so, turn off the browser cache, reset the session variable, and send JavaScript code to the browser. If the request for JS.asp is not from a reliable origination, the session variable auth is false, and the program only sends a blank page with copyright declaration.</p>
<p>As a result, if the user is trying to download the JavaScript source file or use the JavaScript source file on another website, he gets just a blank page. In this way, we also realize the control of who can access the DHTML source file.</p>
<p>If you want to protect the HTML code of the page actual content in the web page, you can create a function in the js.asp file, as shown below:</p>
<p></p>
<p>Function html () {</p>
<p>Document.write ('<html> <body> page content <// body> <// html>');</p>
<p>}</p>
<p></p>
<p>Then, the main page simply calls HTML () to construct a web page. This page is only displayed only after the user enables JavaScript support for the browser. If the user views the source code of this page, only one function call he sees does not see the source code returned by the function call. This ASP that exhibits two (or more) different types of file features can be referred to as "mixed ASP". Below is some features of the JavaScript / ASP mixed file:</p>
<p>● The JavaScript source file directs the browser directly to the browser.</p>
<p>● The file has passed the necessary verification to prevent the user from downloading the source code.</p>
<p>● End users cannot access source code directly.</p>
<p>The above code has been tested on the Personal Web Server, and IIS 4 of the Windows 98, the Windows NT platform. The code can run smoothly on the following browser: Netscape 4.7, Internet Explorer 5, Netscape 6, and Opera 5.0.</p>
<p>Bureau</p>
<p>As with any other technology, the techniques described herein have their own inherent limitations.</p>
<p>▲ session variables:</p>
<p>In the above example, we use the session variable to verify the origin of the JavaScript source file call. If the number of visits is very high, this may not be the best way to verify.</p>
<p>Create a session variable each time the user accesses the web page or web app. The default time of the server keeps the session unique identifier is 20 minutes. If the server maintains status information at the same time, you can imagine how high it will be on the load.</p>
<p>There are two main methods to solve this problem:</p>
<p>● Set as little as possible on the server on the server. In addition, after the code has been sent to the browser, call session.abandon release session status information. This method is suitable for websites of medium and small traffic.</p>
<p>● For high-flow websites, it is recommended to verify the method of maintaining session status through the GUID / database.</p>
<p>▲ Memory assignment:</p>
<p>Most Mozilla-based browsers use the Spidermonkey JavaScript engine to interpret the JavaScript. The advantages of this engine include: performing code (corresponding to compilation mode), dynamic waste collection mechanism (in other words, automatic release of memory vulnerability).</p>
<p>Try the following: Run the above example. After the function is executed, enter the URL address bar, select the URL and knock Enter, you can see that the function does not execute, the browser shows a JavaScript error. However, if you click on the browser's refresh button, the function will be performed normally.</p>
<p>Below is a reason for this situation: After the JavaScript function is executed, these code can be obtained from the cache because the browser assumes that it is time to release, so it releases memory reserved for JavaScript. However, the ASP code prohibits the browser to cache JavaScript code. Since the browser cannot reference a function in memory, you cannot get the function code from the cache, so you will see an error when you press Enter.</p>
<p>When you click on the browser's refresh button, the browser will re-download the function code and execute it. If the code is no longer referenced, the JavaScript engine will release the function. However, there is a way to force the browser to reserve a function in memory, that is, always activate references to functions during program execution.</p>
<p>▲ Early / incompatible browser:</p>
<p>There is no doubt that the method described in this article is not suitable for JavaScript version of a browser earlier than 1.2. The solution is to write a prior inspection program that checks if the user browser is compatible with your web application.</p>
<p>▲ package intercept:</p>
<p>In theory, as long as people trying to steal code have sufficient determination, he can send code by stealing data when the code is sent to the browser. However, this work takes time and energy make it almost impossible. Moreover, if you want to get 100% secure transmission, you can use SSL. The only disadvantage of using SSL is that the application can only be run on a browser that supports SSL. ■ Summary:</p>
<p>Applications of "Mixed ASP" technology are of course not limited to ASP and JavaScript source files. In theory, it can be applied in many server-side scripting locations, such as CGI or PHP. In addition, this technique can also be used to protect other documents such as graphics, sounds, and documentation. For example, the "Mixed ASP" file can fully function, the specific method is to verify the origin of the request, send the browser to the browser, then extract the graphic file of the Blob field from the SQL database. It can be said to be unopened in this area.</p>
<p>In many years, JavaScript and DHTML will continue to develop and continue as an important web development tool. W3C is expected to recognize the value and importance of client programming tools, and make a standard in order to protect it.</p></div><div class="text-center mt-3 text-grey">
转载请注明原文地址:https://www.9cbs.com/read-31398.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>)
</div><div></div></div></div><ul class="postlist list-unstyled">
</ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="31398" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved
</div><div class="col text-right">Processed:
<b>0.041</b>, SQL:
<b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script>
var debug = DEBUG = 0;
var url_rewrite_on = 1;
var url_path = './';
var forumarr = {"1":"Tech"};
var fid = 1;
var uid = 0;
var gid = 0;
xn.options.water_image_url = 'view/img/water-small.png';
</script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script>
var forum_url = 'list-1.html';
var safe_token = 'Nj1XxSvfvnD_2FcwDEwpumECWEm7VbT4au9pcVDhgpzbxnaXfNstO_2B3XHHW4gups90UjFj2Wcq8qgEZGADbv0SzA_3D_3D';
var body = $('body');
body.on('submit', '#form', function() {
var jthis = $(this);
var jsubmit = jthis.find('#submit');
jthis.reset();
jsubmit.button('loading');
var postdata = jthis.serializeObject();
$.xpost(jthis.attr('action'), postdata, function(code, message) {
if(code == 0) {
location.reload();
} else {
$.alert(message);
jsubmit.button('reset');
}
});
return false;
});
function resize_image() {
var jmessagelist = $('div.message');
var first_width = jmessagelist.width();
jmessagelist.each(function() {
var jdiv = $(this);
var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width();
var jmessage_width = Math.min(jdiv.width(), maxwidth);
jdiv.find('img, embed, iframe, video').each(function() {
var jimg = $(this);
var img_width = this.org_width;
var img_height = this.org_height;
if(!img_width) {
var img_width = jimg.attr('width');
var img_height = jimg.attr('height');
this.org_width = img_width;
this.org_height = img_height;
}
if(img_width > jmessage_width) {
if(this.tagName == 'IMG') {
jimg.width(jmessage_width);
jimg.css('height', 'auto');
jimg.css('cursor', 'pointer');
jimg.on('click', function() {
});
} else {
jimg.width(jmessage_width);
var height = (img_height / img_width) * jimg.width();
jimg.height(height);
}
}
});
});
}
function resize_table() {
$('div.message').each(function() {
var jdiv = $(this);
jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>');
});
}
$(function() {
resize_image();
resize_table();
$(window).on('resize', resize_image);
});
var jmessage = $('#message');
jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); });
jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); });
$('#nav li[data-active="fid-1"]').addClass('active');
</script>
