Wednesday, February 21, 2007

Prevent content stealing by protecting web pages

This article shows you how to implement different protections for a web page to prevent content stealing. For sake of understanding all examples were implemented in VBScript.

1. Display a message on right mouse click

You need to handle onmousedown event and check which mouse button was pressed. This method doesn’t offer any protection is users press Win-ContextMenu system key.

Sub document_onmousedown
If window.event.button = 2 Then MsgBox "This page is protected."
End Sub


2. Disable context menu

This protection method works only on IE but is nicer than the previous method. You need to handle the event that is fired on context menu popup.

Sub document_oncontextmenu
window.event.returnValue = False
End Sub


3. Disable F5 and Backspace keys

This method is especially useful if you indent the user to navigate your site only through navigation controls you implement. Of course, the user can press the Back button on the toolbar, but this inconvenient can also be solved by opening the site in a window without toolbars.

Sub document_onkeydown
Dim key

key = window.event.keyCode

If key = 116 or key = 8 Then
window.event.keyCode = 0
window.event.returnValue = False
End If
End Sub


The above code snippet is just for demo purpose only. In a real world scenario you should check the context where the user presses a key. For instance you should allow Backspace if the user is in an INPUT type field.

4. Protect scripts

This method works only in IE5+. First you need to download script scrambling tool, srcenc.exe from Microsoft.

Let’s say we have the following script in a web page:

<script language=vbscript>
Sub ShowMsg
MsgBox "This is a message"
End Sub
</script>


The result of running the presented tool on this script is the following:

<script language=VBScript.Encode>#@~^MBcAAA==@#@&P~1WswV6sGN'Wl
... dgGAA==^#~@</script>


IE5+ browsers will know how to run scripts written in “VBScript.Encode”. Older browsers will just ignore these encoded scripts. You should know that this method is good only to scare beginners because experienced hackers can easily revert the encryption.

5. Protect entire web page content

For this you need to use one of the many protection tools available on Internet. Usually these tools are removing all white spaces from HTML pages, the result being an unintelligible block of tags.

6. Protect discrete page elements

The following paragraphs will show you how to protect different page elements against incorrect user actions. These are not security protections but more protections against incorrect usage that would otherwise trigger a non-planned behavior.

6.1. Create unelectable paragraphs

<body UNSELECTABLE="on">
...

<div UNSELECTABLE="on" style="cursor:default;">This text cannot be selected using mouse</div>
...
</body>


6.2. Disable automatic field’s fill up

This method is useful for fields used for typing username or address. Normally after a few letters types, IE will suggest you a previously entered text. This is not a very good idea especially if a web application will be used on public computers.

7. A complex protection for IE browsers

In IE5+ you can combine the above described protection methods in one single “behavior”. The following example shows such method (write the first code in application.htc file and the second in test.htm file).

application.htc

<PUBLIC:ATTACH EVENT="onkeydown" ONEVENT="HandleKeyDown"/>
<PUBLIC:ATTACH EVENT="oncontextmenu" ONEVENT="HandleContextMenu"/>

<script language=vbscript>
Sub HandleKeyDown
Dim key

key = window.event.keyCode

if key = 116 then ‘ F5 does nothing
CancelKeyEvent
elseif key = 8 then ' For Backspace check where is pressed
If CancelInElement(window.event.srcElement) then CancelKeyEvent
end if
End Sub

Sub HandleContextMenu
If CancelInElement(window.event.srcElement) then _
window.event.returnValue = false
End Sub

Sub CancelKeyEvent
window.event.keyCode = 0
window.event.returnValue = false
End Sub

Function CancelInElement(elem)
Dim re

re = true

select case elem.tagName
case "INPUT" if LCase(elem.type) = "text" then re = false
case "TEXTAREA" re = false
case "DIV", "SPAN" if elem.contenteditable = "true" then re = false
end select

CancelInElement = re
End Function

</script>

test.htm

<HTML>
<head>
<style>
BODY
{
BACKGROUND-COLOR: steelblue;
FONT-FAMILY: Verdana;
FONT-SIZE: 10px;
behavior:url('application.htc');
cursor: default;
}
</style>
</head>

<BODY UNSELECTABLE="on">

Time: <span id=clock UNSELECTABLE="on"></span><br>
<input type="text"><br><textarea></textarea>

<div UNSELECTABLE="on" style="background-color:red;width:200px;height:100px;">
This is a regular DIV...
</div>

<div contenteditable=true style="cursor:text;border:inset thin;background-color:white;width:200px;height:100px;">
This is an <b>EDITABLE</b> DIV...
</div>

<script language=vbscript>
sub window_onload
clock.innerHTML = Now()
end sub
</script>

</BODY>
</HTML>

I hope this was useful. I’m waiting for comments and suggestions, especially regarding how to implement similar protections on Firefox.

7 comments:

Anonymous said...

The idea of "protecting" web pages or content on it is absurd. If you want to "protect" content, then why allow the whole world to download it? Just don't make a website!

Most of what thing you have described is circumvented by turning off scripting in the browser. There is no support for VBScript in Firefox, anyway, so your scripts are harmless.

Also, the UNSELECTABLE="on" trick fails in Firefox because that is not part of the HTML specifications; it's an IE-specific attribute.

Anonymous said...

Is it really worth your time? Generally I surf through a proxy that dynamically strips out certain javascripts from the http stream before it gets to the browser, in other words I can always get to the right click context menu. Firefox has a plug-in that does something similar. Realistically, if you want to keep it secret don't put it on the web.

Anonymous said...

anyone can dl the page with wget and then remove whatever protectiosn you added

VMASOFT said...

While personally I consider that protecting web pages is not worth the effort, there are certain people out there (especially beginners or non-tech savvy ones) very interested in this subject. The article just enumerates a couple of protection methods that can be used. Each developer should decide for himself if will implement these protections. Advanced developers and companies just mention that the content is copyrighted without implementing other protections. Besides the protections enumerated in the post are not for advanced web site visitors (who by the way have also a better understanding of intellectual property) but for beginner visitors.

Anonymous said...

I think an article about why you think it's not worth to consider "protecting" web pages is more useful to a curious beginner than fragile blobs of VB or JS script. The mentality of copying snippets of code into a page is something that should be discouraged with an explanation, in my opinion. :)

Anonymous said...

good job man. you just gave me more ideas on how to make my php business application more secure and be better interactively. tnx

Anonymous said...

Hi Very funny post...