I´m looking to implement a way to avoid the user taking a screenshot from one desktop application. Yes, this seems to be weird asking for that, but we need it. I tried to use OpenGL (SDL_tff) to render the text, but it seems that doesn't stop the user from taking the screenshot. Please, does anybody have some clever idea about how to do it?
Render it to video and use a hardware overlay. those are much more difficult to capture since they are technically never rendered to the screen like other apps. It goes directly to the hardware and displays through the graphics card, bypassing normal screen shot domain.
It is still grab-able though.
personally, i'd take a high res photo and run it through a img2txt converter :D
Edit: check out http://www.gamedev.net/community/forums/topic.asp?topic_id=359319 , they seem to have an example, and it specifically states how a "screenshot" of the effect is kinda silly.
As I mentioned in my comment, you can't stop the user from taking a screenshot.
There might be a few things you can do to make it a bit more difficult though, and maybe deter less knowledgeable or driven individuals from taking a screenshot.
A suggestion: you might want to watch for key combinations that are often used for taking screenshots, then briefly hide your text. It may get the behavior that it seems you are looking for: allowing the user to take a screenshot without showing the text.
Another alternative is to provide a very easy and obvious way to let the application take the screenshot FOR the user, without saving the text. This might be useful in the case that you aren't trying to make the text "impossible" to capture, but rather that the user would prefer the screenshots to be text-free.
It's not clear from your question what the motivation behind your request is. If you just would like to have "prettier" screenshots without text, this shouldn't be a hard problem to solve: just do as I mentioned before and provide a built-in mechanism for saving "clean" screenshots.
Just remember that if the user DOES want to save that text, you cannot stop them from doing it.
You cannot accomplish what you want. What you want is, in fact, nonsensical.
Even if you find some clever way to stop them doing it with their computer,
using a good quality digital camera to take a picture of their monitor provides
a remarkably good quality screenshot.
Don't forget to add VM detection routines so you can disable display if you discover you're running under a virtual machine. That way they can't take a screenshot of the VM window.
Unless they modify an open VM to remove that sort of easy tell-tale, in which case you'll have to use something stronger.
Related
I am using the latest swiftui and would like to know if it is possible to create drag & drop boundaries based on color?
I already created a drag & drop with rotation, pinching, etc. But would like to be able to create regions where you can drop into.
Thanks
Yes it is! It's a great idea, and I think you should pursue it.
As it stands there's a hundred different ways to go about things. Spend some time thinking about how you would want it to work, then just take baby steps. You've already covered a lot of the ground work by implementing rotation and pinching.
Write some code (in a playground so you get instant feedback) that does some simple drag and drop work. Add in a line of code that turns the background a different color or changes its opacity when you let go/lift your finger.
Those types of incremental changes are well documented and you will be able to google them quickly. I think it's a great sign that you haven't found ready made examples. It means you are thinking outside the box.
This is an opportunity for you to think like a developer and a designer. If you post your results somewhere or release a project on GitHub at some point, others will be able to find your work using the same search criteria you used when you didn't find any results.
If you get stuck, post the code the code that has you baffled, and I'm sure you get help on this site. Best of luck 🍀
I have a modest codebase (C++) that is well-documented but nonetheless very complex. I am involved in its maintenance and debugging, and I find myself drawing the same pictures over and over again, to check for wayward pointers and to look for optimizations. The pictures help a lot, as inconsistencies have crept into the code from time to time on seemingly logical optimizations.
It may be too much to ask, but is there an editor that would let me draw in the margins, a la MS Paint, as auxiliary comments, and maybe even to tack the picture to a particular line? Just in case such a thing exists, I would ideally like to use it alongside Vim.
Such an editor would have suffered the kind of feature creep that is against the philosophy of vim (or at least vi). You're more likely to be happy with adding your own layer of indirection between vim and an external doodling app. As #Mats Petersson suggests, a URL is one way. Or a filename relative to some directory, or an XML tag.
A plugin for vim that recognizes your layer might automatically display your doodles. If Clippy can be implemented as a vim plugin, surely so can this.
If ascii-art suffices, try the plugin DrawIt, http://www.vim.org/scripts/script.php?script_id=40 ; or use that webpage's search box.
I want to develop an auditing application for certain Windows applications. I want to grab the text from MessageBoxes, Windows, Forms, Selections etc and ideally I would like to program in C++.
I've looked into Windows UI Automation as a possible solution, but am slightly put off as it says it will need to know parts of the underlying data structures which I can't get at. Alternatively, I've looked around and Neo's SafeKeys says that it protects against 'field scraping', but upon searching for it I can't find any information on how it is done. Could someone with experience with this please enlighten me? I'm aware you can scrape websites and the like, but I wish to scrape applications instead.
Any help would be greatly appreciated.
Look into using the accessibility layer, MSAA
I presume they are talking about doing a lot of EnumChildWindows() and GetWindowText().
A simple way of doing this without going near any data structures is to use Abbyy's OCR SDK http://www.abbyy.com/ocr_sdk/ to emulate in an application what their amazing Screenshot reader does. http://www.abbyy.com/screenshot_reader/ . With this technology, nothing you can read on the screen is safe from being captured as text, though it makes a mess of the odd character occasionally.
If I have fields that will only ever be displayed to the user that enters them, is there any reason to sanitize them against cross-site scripting?
Edit: So the consensus is clear, that it should be sanitized. What I'm trying to understand is why? If the only user that can ever view the script they insert into the site is the user himself, then the only thing he can do is execute the script himself, which he could already do without my site being involved. What's the threat vector here?
Theoretically: no. If you are sure that only they will ever see this page, then let them script whatever they want.
The problem is that there are a lot of ways in which they can make other people view that page, ways you do not control. They might even open the page on a coworker's computer and have them look at it. It is undeniably an extra attack vector.
Example: a pastebin without persistent storage; you post, you get the result, that's it. A script can be inserted that inconspicuously adds a "donate" button to link to your PayPal account. Put it up on enough people's computer, hope someone donates, ...
I agree that this is not the most shocking and realistic of examples. However, once you have to defend a security-related decision with "that is possible but it does not sound too bad," you know you crossed a certain line.
Otherwise, I do not agree with answers like "never trust user input." That statement is meaningless without context. The point is how to define user input, which was the entire question. Trust how, semantically? Syntactically? To what level; just size? Proper HTML?
Subset of unicode characters? The answer depends on the situation. A bare webserver "does not trust user input" but plenty of sites get hacked today, because the boundaries of "user input" depend on your perspective.
Bottom line: avoid allowing anybody any influence over your product unless it is clear to a sleepy, non-technical consumer what and who.
That rules out almost all JS and HTML from the get-go.
P.S.: In my opinion, the OP deserves credit for asking this question in the first place. "Do not trust your users" is not the golden rule of software development. It is a bad rule of thumb because it is too destructive; it detracts from the subtleties in defining the frontier of acceptable interaction between your product and the outside world. It sounds like the end of a brainstorm, while it should start one.
At its core, software development is about creating a clear interface to and from your application. Everything within that interface is Implementation, everything outside it is Security. Making a program do the things you want it to is so preoccupying one easily forgets about making it not do anything else.
Picture the application you are trying to build as a beautiful picture or photo. With software, you try to approximate that image. You use a spec as a sketch, so already here, the more sloppy your spec, the more blurry your sketch. The outline of your ideal application is razor thin, though! You try to recreate that image with code. Carefully you fill the outline of your sketch. At the core, this is easy. Use wide brushes: blurry sketch or not, this part clearly needs coloring. At the edges, it gets more subtle. This is when you realize your sketch is not perfect. If you go too far, your program starts doing things that you do not want it to, and some of those could be very bad.
When you see a blurry line, you can do two things: look closer at your ideal image and try to refine your sketch, or just stop coloring. If you do the latter, chances are you will not go too far. But you will also make only a rough approximation of your ideal program, at best. And you could still accidentally cross the line anyway! Simply because you are not sure where it is.
You have my blessing in looking closer at that blurry line and trying to redefine it. The closer you get to the edge, the more certain you are where it is, and the less likely you are to cross it.
Anyway, in my opinion, this question was not one of security, but one of design: what are the boundaries of your application, and how does your implementation reflect them?
If "never trust user input" is the answer, your sketch is blurry.
(and if you don't agree: what if OP works for "testxsshere.com"? boom! check-mate.)
(somebody should register testxsshere.com)
Just because you don't display a field to someone, doesn't mean that a potential Black Hat doesn't know that they're there. If you have a potential attack vector in your system, plug the hole. It's going to be really hard to explain to your employer why you didn't if it's ever exploited.
I don't believe this question has been answered entirely. He wants to see an accuall XSS attack if the user can only attack himself. This is actually done by a combination of CSRF and XSS.
With CSRF you can make a user make a request with your payload. So if a user can attack himself using XSS, you can make him attack himself (make him make a request with your XSS).
A quote from The Web Application
Hacker’s Handbook:
COMMON MYTH:
“We’re not worried about that low-risk XSS bug. A user could exploit it only to attack himself.”
Even apparently low-risk vulnerabilities can, under the right circumstances, pave the way for a devastating attack. Taking a defense-in-depth approach to security entails removing every known vulnerability, however insignificant it may seem. The authors have even used XSS to place file browser dialogs or ActiveX controls into the page response, helping to break out of a kiosk-mode system bound to a target web application. Always assume that an attacker will be more imaginative than you in devising ways to exploit minor bugs!
Yes, always sanitize user input:
Never trust user input
It does not take a lot of effort to do so.
The key point being 1.
If the script, or service, that the form submits the values to is available via the internet then anyone, anywhere, can write a script that will submit values to it. So: yes, sanitize all inputs received.
The most basic model of web-security is pretty simple:
Do not trust your users
It's also worth linking to my answer in another post (Steps to become web-security savvy): Steps to become web security savvy.
I can't believe I answered without referring to the title-question:
Is there any reason to sanitize user input to prevent them from cross site scripting themself?
You're not preventing the user's being cross-site scripted, you're protecting your site (or, more importantly, you're client's site) from being the victim of cross-site scripting. If you don't close known security holes because you couldn't be bothered it will become very hard to get repeat business. Or good word-of-mouth advertising and recommendation from previous clients.
Think of it less as protecting your client, think of it -if it helps- as protecting your business.
What is best way for making a draw panel in a web page. I would like to know how to develop something very simple,for example little panel where users can draw a signature.
This is great example drawhere.com, but I need something way simpler.
Thanks
Whilst Zifre's answer is valid in one sense, I would be very weary of the <canvas> tag, at least at the moment, due to there not being fantastic support for it (as many browsers don't yet fully support HTML5).
Some browsers support it (most notably Firefox and anything running on Webkit), but swathes of others don't (especially older browsers). It's perhaps better to go for a more universal solution (though, by no means completely universal), and use something like Flash.
The easiest way to do this is probably with the <canvas> tag and some JavaScript. Here is a really simple example to get you started. You can add more functions for things like circles, boxes, etc.
I'm sure somebody has already made something like this that you could use, but I couldn't find any.