Wednesday, 6 December 2017

JavaScript security

JavaScript is an object-oriented programming language (prototype) mainly used on the web. Note that it has nothing to do with Java. It is interpreted by your browser and, in short, it is he who displays messages like "Please fill in all fields" when you want to make a purchase without putting the number of your credit card. It is very convenient for making websites interactive.
With JavaScript we are at the client computer. We will detail the terms "client" and "server" thereafter.
JavaScript is already a secure minimum, for example you can not access the Windows registry or create default folders and files. Although it is feasible with VBScript under Internet Explorer only.
You can not access variables from other sites or view other pages opened by the browser. You can, however, set cookies.

1) Why do not trust Javascript if you own a website

This example comes from another website (which thought well done) and was copied identically. Try to find the password.
The most experienced of you will have found, just display the source code of the page (CTRL + U) to display this beautiful piece of JavaScript code:
 function Login () {
            var password = document.login.password.value;
            if (password == "kztYq8") {
                window.location = "bravo.htm";
            }
            else
            {
                window.location = "dommage.htm";
            }
        }
Erf.
javascript security

Not only is the password set in clear , it is the same for everyone BUT in addition the resulting file is given . I do not even need the password.
All that to say that the JavaScript code that you write is visible to everyone . Visible and editable!
But besides, and we come to the second point, it is deactivable .

2) Check on the client side AND on the server side

The client side is the side of all your visitors, it is their browser that will display your page. The server side is the code that will run only on your server and is therefore inaccessible to clients.
What you check on the client side (with JavaScript) is unreliable as we have seen and needs to be re-checked on the server side (in php / asp / etc).
But what's the use of JavaScript? We saw it at the beginning, it serves to make the site more ergonomic, more interactive.
Let's take an example:
function validateURL (val) {
   var test = / (ftp | http | https): // (w +: {0,1} w * @)? (S +) (: [0-9] +)? (/ | / ([w # !: .? = + &% @ - /])) / test (document.frmrac.url.value!);?.
   if (test == false) {
           alert ("The URL to shorten is invalid!");
           return false
    }
    else return true;
}
The line with (w +: {0,1} ... etc is a regular expression that will test whether a string is a URL, if the return value is false it is not a URL and you do not can (normally) not submit the form.
Let's say I'm smart and disable JavaScript , I can write anything and submit the form without seeing the message "The URL to be shortened is not valid! ".
Only I check again on the server side (php so) if the link is a URL :
function validateURL ($ url) {
    if (filter_var ($ url, FILTER_VALIDATE_URL) == FALSE) return FALSE;
    else return TRUE;
}
and if it is not the case you have this time the right to a message "The specified link is not valid".

3) Go further

We have seen that we should not place private elements in JavaScript code and that we should not rely on it when validating data.
This is especially true since it is possible in specific cases to submit a valid but distorted data. And that it is possible to change the data on the fly.
I can for example copy the source code of a page, change the JavaScript code, re-register and submit everything.
I also see the famous "right click off" on some pages that use JavaScript code to prevent copying the elements of the site.
It is NOTHING. We saw that it is enough to disable JavaScript to bypass this "restriction".

No comments:

Post a Comment