• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Is it possible to modify the value of Javascript variable at client end

 
Saurabh Pillai
Ranch Hand
Posts: 524
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
as a hacking attempt.

If yes, how easy it is? Does a developer need to be concerned about it?
 
Paul Clapham
Sheriff
Posts: 21322
32
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, let's put it this way: using Firebug I can step through your Javascript in debug mode. I don't recall whether I can change the value of Javascript variables while I'm doing that, because I haven't ever tried it, but I wouldn't be surprised. You could try that yourself to see. I have also used Firebug to edit the HTML of pages so that I can submit requests which the site owners didn't expect, too.

So I would say yes, you do need to be concerned about that sort of thing.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65120
91
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your server needs to validate all data coming from the browser. Always.

This is just one of the reasons that client-side validation is insufficient for security.
 
Saurabh Pillai
Ranch Hand
Posts: 524
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you guys.

Consider this scenario,

You and few other people including manager, CEO and engineers are working on an assignment. Everybody has input on given assignment that they can give by leaving a note in the system (web application). You can see any notes you are authorized to. In current implementation, we fetch all PKs(Primary Key) from note table that you are authorized to and save them in JS array. so when you navigate from one note to another, we simply fire a query by note id and get the content. No second checking at server end. So if it is possible to modify the JS variable, array etc, they can get access to the notes that they are not authorized to. Glitch.

So now I have to change the implementation to validate the requested data. More workload on server to KEEP the data safe.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65120
91
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Saurabh Pillai wrote:So now I have to change the implementation to validate the requested data. More workload on server to KEEP the data safe.

This is always a must. It's not "more workload". It's what has to happen. Always.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34851
369
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, it is possible to modify the JavaScript variable. However, that isn't even necessary to get data the user shouldn't see. All the person has to do is change a form value. If you are using GET, this parameter value is already in the URL. If not, Firebug can change a pOST form to a GET form and then it is in the URL. Now someone can just start trying different numbers as that id and keep submitting to see what happens.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic