• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Securuty with javascript ?

 
Ranch Hand
Posts: 401
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
i`d like to know security stuff about javascript. How user (or hackers) can manipulate javascript content in the web pages? What they can do using the location bar of the browser like calling functions, writting code or erasing code?
Does anyone know any link or book good at that???
Thanks,
 
Ranch Hand
Posts: 140
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
JavaScript executes client side - what does it matter what users do to a page once they've download it?
 
author
Posts: 15385
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Paste the following code into the address bar of the reply page.

Hit return...
Now do you see why people should be scared. I can sit here and change anyhing on the page, if there is a readonly field for a discount, I can change that to make the item free.
It is not hard to do. I can make the reply page post to another forum and thread. It is not hard to do. Is there any books on this.. Not that I know of. All you need is to know what JavaScript can do and try executing it from the addy bar on any page.
This is the reason why server side coding and validation is so important!
Eric
 
Leandro Melo
Ranch Hand
Posts: 401
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, i didn`t work for me (pasted in the address bar and pressed "return"??? ).
Anyway, that`s the kinda of things i`m talking about.
Do u know, at least, a good javascricpt book (or link) about how to avoid theese kinda of things???
thanks,
 
Eric Pascarello
author
Posts: 15385
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I wrote something on my blog about this today:
http://radio.javaranch.com/channel/pascarello/2004/03/30.html
 
Sheriff
Posts: 67752
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Eric's point is wise and should be heeded! I don't know how many times I've gone 'round and 'round about this in the JSP forum.
JavaScript validation and other things that you do on the page are there for the "user experience". You can do some wonderful things with JavaScript on your pages. But never, ever let your server-side code assume anything about what happened on the client!
If you perform validation on the client side (so that user don't have to wait for a server-round trip to find out that they need to fill in a field and such) that's a nice thing, but your server-side code should always perform validations regardless of whether you performed client-side validation or not.
And even more important, coding business rules into your forms (as Eric's example points out) will only lead to heartache and pain.
[ March 30, 2004: Message edited by: Bear Bibeault ]
 
Ranch Hand
Posts: 413
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It always amased me, how many things people put into a form as "hidden", and how often thay rely on "readonly" or "disabled" stuff.
As least harmfull - message length limitation and validation in chat rooms .
I don't think you will find any books on this particular subject.
But basically, any JavaScript function or set of commands could be executed from an address bar - just start trying.
The tool I have on my page - Web Code Expert, could actually help you with manipulation with someone else page - it acts just like a browser, allows you to view/edit code, execute JavaScript and so on, and it is free. And the tool itself is written in JavaScript.
 
You've gotta fight it! Don't give in! Read this tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic