How to protect my javascript for form submission from authorized changes?

Report · Jan 10, 2017

Hi all,

I have a PDF form created with some validation.

I'm using Customized JavaScript for the submit button to send the form contents to my server.

The server will take 2 things: 1. the complete pdf. 2. the html data of the fields desired

so in the JavaScript actually I defined some logic to control what to send to server and what not to send.

I realize if anyone has Acrobat DC and knows about JavaScript, they can actually change my submit button JavaScript code or change the logic and send invalid data or even attack my server in some sense.

How do I prevent that from happening?

I'm trying to find some locking mechanism. Someone suggest about File->Properties->Security

However, it's locking file opening, editing, printing..etc, but not the JavaScript.

What I really is, I only want to lock the scripts from editing, but not locking the complete PDF form. The form need to be filled up by users, but the users shouldn't change the JavaScript code for form submission or field validation.

Report · Jan 10, 2017

In the Permissions section, select the "Restrict editing..." check box and in the "Changes allowed" dropdown, select one that allows form filling. This type of security isn't really secure since there are tools available that can easily remove it, but it will prevent someone with just Acrobat and no password from making changes, including changes to the scripting, apart from those that you explicitly allow (e.g., form filling)..

View solution in original post

Report · Jan 10, 2017

In the Permissions section, select the "Restrict editing..." check box and in the "Changes allowed" dropdown, select one that allows form filling. This type of security isn't really secure since there are tools available that can easily remove it, but it will prevent someone with just Acrobat and no password from making changes, including changes to the scripting, apart from those that you explicitly allow (e.g., form filling)..

Report · Jan 11, 2017

Hi.

You can obfuscate your scripts: http://www.javascriptobfuscator.com/Javascript-Obfuscator.aspx

See this sample obfuscated PDF file: http://abracadabrapdf.net/download/Calcul_poids_imprime.pdf

PDF Acrobatic, InDesigner & Photoshoptographer

Report · Jan 11, 2017

It's good to be concerned about security, but I have to say I think you're looking at the "wrong end". I can get a copy of any JavaScript code in seconds. Obfuscation is irrelevant. Whether I can edit the PDF is irrelevant too, because I can put the JavaScript into a NEW PDF.

So it is the server that must be absolutely bulletproof. This means protected against all known attacks, from SQL injection to server bug exploits. It also needs to be protected against data spoofing; for example a classic error is to take the price from the submitted data, rather than looking it up on the server.

For this reason the server script and server itself needs to be set up and actively maintained by a web specialist with good security credentials. (Not just anyone who can write ASP scripts). It's a pity, but that's the world be live in.

(By the way there is no option to submit both the PDF and its HTML fields; this needs server side software).

Report · Jan 11, 2017

Of course you can copy this script, but my intent is that you cannot edit it.

PDF Acrobatic, InDesigner & Photoshoptographer

How to protect my javascript for form submission from authorized changes?

li.media.uploader-dialog.title