Comment by SHOBHIT RASTOGI on "Introducing StaticShield🛡: Password protect a website in less than 2 mins."

Lalit Your site and work looks amazing. Keep up the great work. But does it really works ? scripting based security can be manipulated in browser, One can block the script in browser and can access the secured page even without password.

Block the script in browser.
Unhide staticshield-div

And there you go you can see the secured page, no matter how many times it is hashed :p

Maybe this can be used as a quick solution but not certainly to make anything secured,

Please let me know if I am missing anything.

Thanks SHOBHIT RASTOGI, glad you liked StaticShield

– One can block the script in browser and can access the secured page even without password.

I have taken that into account - If javascript is blocked from executing, the <noscript> tag instantly gets activated which then redirects the page here which asks the user to enable Javascript (and links them to a guide). Moreover Javascript frameworks like react and vue require js to render and paint the screen itself.

– Unhide staticshield-div

When a password protected site loads, the rendered HTML is not displayed with the help of CSS. And as soon as the javascript script loads, the user is redirected to login page if no valid token exists.

Removing the staticshield-div is practically not possible because the rendering of html and css happens in milliseconds usually, and opening the DevTools and removing the staticshield-div class in this short period of time is practically impossible.

Frameworks like Next.js (version 11) prioritize the execution of client js scripts before the rendering of html and css when the stratergy is set to beforeInteractive. More info here

Please do let me know your queries 🙂

Lalit Request is blocked not in real time, Please check this you might understand what I am trying to say,

streamable.com/sxjm3r

Thanks,

Thanks for the response SHOBHIT RASTOGI

The link seems to be broken, can you please check it?

Thanks

Lalit Clicking on it should work have uploaded on google drive too

Link

Please check

SHOBHIT RASTOGI That was a good catch! I did not know that you can block certain requests with Chrome DevTools.

I just pushed a solution for it!! I have updated only the with-html example. I will be updating others soon.

Here's a demo 👇

loom.com/share/ffad11caf8cf4b11b344d1c1844cb7dd

Lalit I am afraid that any client side fix will not work, It can still be manipulated.

Install extension in chrome.
Inject the script with the settings shown in the video.

loom.com/share/dd954763e90343a998c6594697abf85e

Still secured page can be accessed.

SHOBHIT RASTOGI This is an excellent catch. I didn't think of it this way. Another concern is the way security is handled in the backend. In this block of code, the TOKEN_SECRET is manually added to the token.

loom.com/share/2310a29733d44bd2ba86241b8393924f

Now I can mint my own tokens

Amal Shaji That is an excellent observation.

Amal Shaji I do not know why jwt.io shows the signature is verified, but the jwt token is signed with a different key (JWT_TOKEN) and the . is replaced with an other key (TOKEN_SECRET)

Lalit The only way the signature gets verified is only when the tokens are the same. I did not introduce any external factors, all the variables are derived from the token presented to me after a login.

Search Hashnode