1

How do I receive a string in JS (maybe through an alert) without the user being able to see it beforehand (e.g. in the source code)? You probably know this from Geocaching Checkers, how do they secure the real Coordinates from being seen in the source code or wherever? I have a web server and some basic JS and HTML understanding, I read about PHP and AJAX but I didn't found the solution to my problem yet. My objective is to reveal a information only if the user completed a condition on my website, and its vital that it's not seen before. I tried using a separate PHP file:

<?php
    $koords =  "N 53° 13.869 E 10° 22.716";
?>

but how do i reciev this variable in JS and can the php file be seen by the user?

ueen
  • 692
  • 3
  • 9
  • 21
  • 1
    Instead of passing the coordinates to the client, pass the guess to the server – snek Aug 30 '18 at 16:40
  • I want to reveal the coordinates if the user completed a challenge on the website, the other way round – ueen Aug 30 '18 at 16:41
  • 1
    When they complete the challenge, request from the server the coords that are secret - you can do this using ajax. When that request succeeds, you can display the coords. – Chris Cousins Aug 30 '18 at 16:54
  • thats what i'm looking for, how to do this? where do i store the coords? PHP? – ueen Aug 30 '18 at 16:55

2 Answers2

2

In your browser (JS) it will always be available to be seen by someone with JS knowledge.

The only thing you can do is set up a server which evaluates if your user has fulfilled the condition for completing the challenge. Once the server recognizes the challenge as completed it would send back your secret to the client, so that it can be displayed to the user there. How you set up that server and with what language or framework /tools (for example PHP) depends on your background and the environment you will host your website in.

Adding a bit of detail: You will want to make a Http request in your JS somehow sending user input to the server (for example PHP). If it is simple content you could add it in the url itself with &parameter=foo, otherwise you would likely send a post request and send your data as JSON body. You would then need to evaluate the parameter in your PHP and if it meets the challenge's requirement you would answer to the client in your response with your secret or if not with a message like try again.

Christian S.
  • 295
  • 1
  • 2
  • 12
  • A PHP file with only a variable inside cant be seen by the user, right? am iI able to get that variable from another file using JS? Then I could store the secret in the PHP file and call it if the condition completed... thanks for your help so far! – ueen Aug 30 '18 at 17:17
  • 1
    I added a bit of detail to the original answer. – Christian S. Aug 30 '18 at 17:25
  • Thanks, now i get why my approch was dommed to fail, woudent make any sense so request php from js, must be the other way round, thanks! – ueen Aug 30 '18 at 18:00
0

Ok, here is what I did, to help anyone who sees this. The method is easy to "hack" so don't use this to hide actual sensible data, its more an obstruction to easily see in the sourcecode whats going on. I created a PHP looking like this

<?php

$secret =  "data";
$givesecret = $_GET['givesecret'];

if ($givesecret>0) {
    echo $secret;
}
?>

Then, when I want the secret Information I let my JS call the PHP via XHR

var rndvar = 0;
//something is done in a loop
rndvar++;
//now something is completed and i want to reveal the secret
var xhr = new XMLHttpRequest();
            xhr.open("GET", "containssecret.php?givesecret="+rndvar);
            xhr.onreadystatechange = function()
            {
                if(xhr.readyState == 4 && xhr.status == 200) {
                    alert(xhr.responseText);
                }
            }
xhr.send();

Pretty basic, and the obvious flaw is, of course, I could call https://www.mywebsite.org/containssecret.php?givesecret=5 and it will give the secret right away, so the goal would be to name everything less obvious and don't make it clear what the criteria in the PHP is (here it is int greater then zero). But it will always be possible to find that out if you know some coding, this is just an easy way to obfuscate and it's only relatively secure from the ordinary users. For my purpose this is well enough :-D

ueen
  • 692
  • 3
  • 9
  • 21
  • You could make that actually secure by sending the coordinates (or password or puzzle solution or whatever) entered by the user to the PHP script, and replacing the `if ($givesecret > 0)` test with `if ($coords == '...')`. That way, the JS side of the code can never learn the secret before the user has figured out the correct coordinates. Of course, you should also implement some kind of rate limiting on the PHP side, so that the user can't just hack your JS to call your PHP script in a loop with *all* possible coordinate strings within a two mile radius until it finds the correct one. – Ilmari Karonen Sep 01 '18 at 09:10
  • Thanks for that advise I did this in another case, but in this case that's not possible, because there is no user input, the user plays a little phaser game and if he passed all the levels be should get the coordinates, obviously this is handled by JS so it can't be secure, but this way the coordinates are not just somewhere in the readable sourcecode und are enough obfuscated, that the regular user won't be able to access them. – ueen Sep 02 '18 at 10:10