All geek questions in one place

Security and JavaScript files containing site logic

Now that JavaScript libraries such as jQuery are more popular than ever, .js files are starting to contain more and more site logic. How and where does it extract data / information, how is this information processed, etc. This is not necessarily bad, but I wonder to what extent this could be a security issue.

Of course, the real data processing is still going on in the backend using PHP or some other language, and it is important that you do not do anything unnecessary at this point. But just by looking at the .js site (which depends heavily on, for example, jQuery), he will say that the person can be bigger than you, as the developer would like. Moreover, each browser currently comes with a fairly extensive web development environment or add-in. Even for beginners manipulating the DOM, this is no longer a big deal. And as soon as you find out what code is and how you can influence it by editing the DOM, the fun begins.

So my main problems are:

  • I donโ€™t want everyone to be able to look at the .js file and see exactly (or rather: for the most part) how my site, web application or CMS works - what is there, what does it do, how does it do it, etc. .

  • I'm worried that by โ€œrevealingโ€ this information, people who are much smarter than I figure out how to manipulate the DOM to influence the JavaScript functions that they now know use the site, possibly bypassing which I implemented (and therefore mistakenly assumed they were good enough).

I already use different .js files for different parts, for example. web application. But there are always things that should be available around the world, and sometimes it contains more than I would like to be public. And since all this is โ€œthereโ€, who said that they cannot find these other files anyway.

I sometimes see a huge piece of JavaScript without line breaks and all that. Like compact jQuery files. I am sure there are applications or tricks to convert your regular .js file into one long line. But if this can be done, is it not so easy to return it to something more readable (which makes it pointless except save space)?

Finally, I was thinking about whether it is possible to detect that the request for the .js file comes from the site itself (by including the script in the HTML) instead of directly loading it. Maybe by blocking the latter, for example, Apache ModRewrite, it is possible to use the .js file in HTML, but when someone tries to access it, it is blocked.


What do you think about this? Am I overreacting? Should I split my JS as much as possible or just spend more time triple checking the backend of scripts and include more checks to prevent harm? Or are there some best practices for limiting the exposure of JavaScripts and all the information they contain?

+4
source share
5 answers

There should be no security risk in your JavaScript if you configured everything correctly. Attempting to access the AJAX endpoint found in the JavaScript file should check for user rights and failure if they do not have the correct ones.

If someone views your JavaScript, this is only a security risk, if you do something broken, for example, call something like /ajax/secret_endpoint_that_requires_no_authentication.php , in which case your problem is not unsafe JavaScript, it is unsafe the code.

I sometimes see a huge piece of JavaScript without line breaks and all that. Like compact jQuery files. I am sure there are applications or tricks to convert your regular .js file into one long line. But if this can be done, is it not so easy to return it to something more readable (which makes it pointless except save space)?

This is usually minimized (to reduce bandwidth usage), and not for obfuscation. It is easily reversible. There are obfuscation methods that will make all variable and function names something useless, like "aa", "bb", etc., but they will be reversible with enough effort.

Finally, I was thinking about whether it is possible to detect that the request for the .js file comes from the site itself (by including the script in the HTML) instead of directly loading it. Maybe by blocking the latter, for example, Apache ModRewrite, it is possible to use the .js file in HTML, but when someone tries to access it, it is blocked.

This can be done, but it has easily bypassed any semi-successful attacker. Bottom line: nothing you send to an insecure user browser should never be confidential.

+6
source

Of course, you should spend more time checking the source scripts. You should approach the security problem as if the attacker was one of the key developers of your site, someone who knows exactly how everything works. Each URL of your site that does something for your database must be protected to make sure that each parameter is within acceptable limits: the user can change his own data, can make changes only within the acceptable ranges, can only change the state that allows changes, etc. etc. etc. None of this has anything to do with how your Javascript looks like, or anyone can read it, and jQuery has nothing to do with the problem (if you didn't do it all wrong).

Remember: an HTTP request to your site can come from anywhere and run by any software in the universe. You have no control over this, and you are not doing anything to set limits on which customers can load pages that will affect them. Do not interfere with the "REFERER" checks, because the values โ€‹โ€‹can be faked. Do not rely on data cleansing procedures in your Javascript, because they can be circumvented.

+2
source

There is free software that has JavaScript Obfuscation . Although insecurity, although unknown. This does not interfere with your system attacks. This makes it more difficult, but not impossible, for other people to tear down your JavaScript and use it.

There is also a customer trust issue. Having a lot of logic on the client side, the client is given the right to choose what he wants to accomplish. For example, if you avoid quotes in JavaScript to protect against SQL Injection. A hacker is about to write an exploit code to create his own HTTP request, bypassing all escaping routines.

TamperData and FireBug are commonly used by hackers to gain a deeper understanding of a web application.

Only JavaScript CAN code contains vulnerabilities. A good example is DOM Based XSS . Although I admit that this is not a very common type of XSS.

0
source

Well, you're right, think about it. This is a non-trivial and incomprehensible area of โ€‹โ€‹web application development.

In my opinion, the answer is that yes, it can create more security problems, simply because (as you indicate) the vectors for the attack increase. Mostly minor changes from a traditional (non-JS) web application and the same best practices and approaches will serve you very well. For example, observing SQL injection, buffer overflow, response splitting, etc. You just have more places where you need to follow him.

From the point of view of the scripts themselves, cross-domain security issues are probably the most common. Learn and learn how to avoid XSS attacks, in particular, as well as CSRF attacks.

JavaScript obfuscation is usually not performed for security reasons, and you are correct that it can be easily undone. People do this in part to protect intellectual property, but mainly to reduce the weight of code downloads.

I would recommend Christopher Wells' book, published by O'Reilly entitled Ajax Application Security.

0
source

Source: https://habr.com/ru/post/1301757/

More articles:


All Articles