Programming Forums > Web Development and Design > JavaScript and Client-Side Browser Scripting

Infinite Recursion · Jul 22nd, 2004, 8:13 PM

I have a web application developed in PL/SQL running on Oracle. I am randomly generating 10 passwords for my users as examples that they can select and use if they desire. They are fairly complex passwords, so the user may write them down or print them out... this is not acceptable by our audit standards.

Now, I know that it is damn near impossible to keep the user from printing passwords, because if they know what they are doing: disabling java script, right clicks, print screens, etc... they can get it. All of this aside I will still pose the question.

I want the user to not be able to use the "common" ways of printing these screens.
I have found java scripts (though not tested yet) to disable the right click and the print screen button... but not File -> Print. Is there some way, I can embedd this list into the site via javascript or PL/SQL's equivalent to where it will blank itself out if printing or copying is attempted or eliminate the possibilitiy or saving or printing altogether?

I know this is not technically 100% possible, but the end users aren't really advanced enough to know the "magical" ways to print the screen after its restricted with said methods.

What would be your approach?

Thanks for any responses.

big_k105 · Jul 22nd, 2004, 9:52 PM

well im not really sure how to restrict the printing and what not but i know that most scripts that stop you from being allowed to right click are easy to bypass by just right clicking and the left clicking really quick or right hold and then left and let go at the same time and you will by pass the stopping of right clicking. i learned this a few years back and know it works pretty well to get by that. cause alot of sites try to disable right clicking on images so you can copy them but that doesnt work

Infinite Recursion · Jul 22nd, 2004, 10:01 PM

Yeah, I figured there wasn't a sure fire way to do this... I'm going to try and use the "user doesn't know any better" approach and see if that works.

I noticed that this thread was moved. Is this javascript section newly added? Or am I brain dead and completely miss it when I added the thread?

big_k105 · Jul 22nd, 2004, 10:15 PM

its always been here but it was in the scripting language misc instead of the web dev misc

Infinite Recursion · Jul 22nd, 2004, 10:24 PM

Oops. Makes sense.

kurifu · Jul 23rd, 2004, 12:48 AM

An interesting thought on this... if you embed the password into an image file, and then load that image as the background for an HTML tbale cell. 99% of browsers will not print background information ... period... and you can not usually right click on the password and save the data either since backgrounds are not treated as your standard image would be.

Best of all, since you can embbed it in a table, you can make it look presentable, just put a couple of spaces in the table or some such like that.

If you needed to make finding the file more difficult, generate an annoyingly long filename, maybe from a few md5 sums, call a script which will calculate the md5 some of some random text on the fly and then load the appropriate image with that data... then the user would never even really know where the image was coming from. Or just base64 encode even.. does not have to be md5.

Infinite Recursion · Jul 23rd, 2004, 1:25 AM

Quote:

...if you embed the password into an image file, and then load that image as the background for an HTML tbale cell... 99% of browsers will not print background information

This is quite interesting, unfortunately as of now I do not know how to do this... but I plan on reviewing it tomorrow. Thanks for the info.

kurifu · Jul 23rd, 2004, 1:34 AM

It is a bit tricky... fairly easy to do with PHP since there are very usefull graphical manipulation libraries in PHP... but you could use PHP to create the script which generates the actually image file. All you have to do is find an abscure way to name that file and pass the parameters into it so that it is difficult to call the file...

Actually you could probably set some server side variable in the $_SESSION superglobal, and force a specific hash value to be present (perhaps a hash of the session id) and once the password is generated from that file, delete the hash so a subsequent call will not render the image. They will get the image in the background, and if they go as far as looking into the document source to pull the script name which generated the password, calling the file directly will render a blank image.. and effectively useless data.

This method seems like it would work really well in all honesty, though not perfect since one could knowingly seed the hash value and then make an implicit call to the rendering file to get the image... but that is a lot of work for someone who does not know how it works internally

Infinite Recursion · Jul 23rd, 2004, 1:40 AM

Unfortunately, this configuration does not have PHP support... only Javascript and PL/SQL... However, the approach is logical and should be able to be implemented in the languages at my disposal. Thanks for the idea.

kurifu · Jul 23rd, 2004, 1:42 AM

Ah, sorry I completely forgot about that in my last post... none the less with Java alone something similar to that should be doable, perhaps not as easily.. but still doable.

Oh one other vulnerability that system holds is if the user takes a screenshot.. but fortunatly most users do not know how to do that... even the advanced users... lol.

And remember if you can not generate images, you could also use smaller images, one for each letter... it would be pointless for a user to download and save each image... they would probably never put it back together in the proper order

You would not even have to hide the names of this images... and you could just use multiple cells to display it since you can only have one background per cell.

Jul 22nd, 2004, 8:13 PM	#1
Infinite Recursion Programming Guru Join Date: Jul 2004 Location: United States Posts: 3,473 Rep Power: 8	I have a web application developed in PL/SQL running on Oracle. I am randomly generating 10 passwords for my users as examples that they can select and use if they desire. They are fairly complex passwords, so the user may write them down or print them out... this is not acceptable by our audit standards. Now, I know that it is damn near impossible to keep the user from printing passwords, because if they know what they are doing: disabling java script, right clicks, print screens, etc... they can get it. All of this aside I will still pose the question. I want the user to not be able to use the "common" ways of printing these screens. I have found java scripts (though not tested yet) to disable the right click and the print screen button... but not File -> Print. Is there some way, I can embedd this list into the site via javascript or PL/SQL's equivalent to where it will blank itself out if printing or copying is attempted or eliminate the possibilitiy or saving or printing altogether? I know this is not technically 100% possible, but the end users aren't really advanced enough to know the "magical" ways to print the screen after its restricted with said methods. What would be your approach? Thanks for any responses. __________________ http://jasonpowers.net "There are a thousand hacking at the branches of evil to one who is striking at the root."

Jul 22nd, 2004, 9:52 PM	#2
big_k105 PFO Founder Join Date: Mar 2004 Location: Fargo, ND Posts: 1,667 Rep Power: 10	well im not really sure how to restrict the printing and what not but i know that most scripts that stop you from being allowed to right click are easy to bypass by just right clicking and the left clicking really quick or right hold and then left and let go at the same time and you will by pass the stopping of right clicking. i learned this a few years back and know it works pretty well to get by that. cause alot of sites try to disable right clicking on images so you can copy them but that doesnt work __________________ BIG K aka Kyle Programming Forums Kyle K Online Please do not PM or email me programming questions. Post them in the forums instead.

Jul 22nd, 2004, 10:01 PM	#3
Infinite Recursion Programming Guru Join Date: Jul 2004 Location: United States Posts: 3,473 Rep Power: 8	Yeah, I figured there wasn't a sure fire way to do this... I'm going to try and use the "user doesn't know any better" approach and see if that works. I noticed that this thread was moved. Is this javascript section newly added? Or am I brain dead and completely miss it when I added the thread? __________________ http://jasonpowers.net "There are a thousand hacking at the branches of evil to one who is striking at the root."

Jul 22nd, 2004, 10:15 PM	#4
big_k105 PFO Founder Join Date: Mar 2004 Location: Fargo, ND Posts: 1,667 Rep Power: 10	its always been here but it was in the scripting language misc instead of the web dev misc __________________ BIG K aka Kyle Programming Forums Kyle K Online Please do not PM or email me programming questions. Post them in the forums instead.

Jul 22nd, 2004, 10:24 PM	#5
Infinite Recursion Programming Guru Join Date: Jul 2004 Location: United States Posts: 3,473 Rep Power: 8	Oops. Makes sense. __________________ http://jasonpowers.net "There are a thousand hacking at the branches of evil to one who is striking at the root."

Jul 23rd, 2004, 12:48 AM	#6
kurifu Expert Programmer Join Date: Jul 2004 Location: Halifax, Nova Scotia (Canada) Posts: 784 Rep Power: 5	An interesting thought on this... if you embed the password into an image file, and then load that image as the background for an HTML tbale cell. 99% of browsers will not print background information ... period... and you can not usually right click on the password and save the data either since backgrounds are not treated as your standard image would be. Best of all, since you can embbed it in a table, you can make it look presentable, just put a couple of spaces in the table or some such like that. If you needed to make finding the file more difficult, generate an annoyingly long filename, maybe from a few md5 sums, call a script which will calculate the md5 some of some random text on the fly and then load the appropriate image with that data... then the user would never even really know where the image was coming from. Or just base64 encode even.. does not have to be md5. __________________ Clifford Matthew Roche <geek@cliffordroche.com> Web Hosting: http://www.crd-hosting.com Consulting: http://www.crdev-consulting.com

Jul 23rd, 2004, 1:34 AM	#8
kurifu Expert Programmer Join Date: Jul 2004 Location: Halifax, Nova Scotia (Canada) Posts: 784 Rep Power: 5	It is a bit tricky... fairly easy to do with PHP since there are very usefull graphical manipulation libraries in PHP... but you could use PHP to create the script which generates the actually image file. All you have to do is find an abscure way to name that file and pass the parameters into it so that it is difficult to call the file... Actually you could probably set some server side variable in the $_SESSION superglobal, and force a specific hash value to be present (perhaps a hash of the session id) and once the password is generated from that file, delete the hash so a subsequent call will not render the image. They will get the image in the background, and if they go as far as looking into the document source to pull the script name which generated the password, calling the file directly will render a blank image.. and effectively useless data. This method seems like it would work really well in all honesty, though not perfect since one could knowingly seed the hash value and then make an implicit call to the rendering file to get the image... but that is a lot of work for someone who does not know how it works internally __________________ Clifford Matthew Roche <geek@cliffordroche.com> Web Hosting: http://www.crd-hosting.com Consulting: http://www.crdev-consulting.com

Jul 23rd, 2004, 1:40 AM	#9
Infinite Recursion Programming Guru Join Date: Jul 2004 Location: United States Posts: 3,473 Rep Power: 8	Unfortunately, this configuration does not have PHP support... only Javascript and PL/SQL... However, the approach is logical and should be able to be implemented in the languages at my disposal. Thanks for the idea. __________________ http://jasonpowers.net "There are a thousand hacking at the branches of evil to one who is striking at the root."

Jul 23rd, 2004, 1:42 AM	#10
kurifu Expert Programmer Join Date: Jul 2004 Location: Halifax, Nova Scotia (Canada) Posts: 784 Rep Power: 5	Ah, sorry I completely forgot about that in my last post... none the less with Java alone something similar to that should be doable, perhaps not as easily.. but still doable. Oh one other vulnerability that system holds is if the user takes a screenshot.. but fortunatly most users do not know how to do that... even the advanced users... lol. And remember if you can not generate images, you could also use smaller images, one for each letter... it would be pointless for a user to download and save each image... they would probably never put it back together in the proper order You would not even have to hide the names of this images... and you could just use multiple cells to display it since you can only have one background per cell. __________________ Clifford Matthew Roche <geek@cliffordroche.com> Web Hosting: http://www.crd-hosting.com Consulting: http://www.crdev-consulting.com

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Programming Forums > Web Development and Design > JavaScript and Client-Side Browser Scripting

Javascript - Restricting User