All geek questions in one place

Javascript security: does keeping sensitive data in self invoking functions more secure than cookies?

I know that security either does not exist or is very complex in client-side JavaScript. I know that my server code should ultimately decide to whom it sends data or receives data.

However, this is normal. By โ€œokayโ€ I mean if it were a method used in some new popular trendy cool web application. Can I sleep at night knowing that I won't see the โ€œSuper Cool Web App Hacked, Change Your Passwords!โ€ throughout HN and Reddit (or any other sources of information that people care about) as a result of this implementation.

If it is not safe. What for? How to get this information (username and password)?

If it is safe? How are you sure? Why is it safe? What is stopping me from getting this information beyond my apparent inability right now.

Partial responses are welcome. Just look for a better understanding.

EDIT

I think that some are trying to steal user credentials. My understanding is that cookies are unsafe because 1.) other javascripts (via XSS or something else) can access them, but because 2.) they are transmitted in clearness. I believe that SSL will take care of the second problem and suggests that I can prevent XSS. Now it would seem that cookies are now safe, right?

I am aware of some of the alleged browser vulnerabilities that help make cookies insecure. It made me ask this question. Given everything that makes cookies insecure, is this better (code below)?

http://jsfiddle.net/KTastrophy/vXEjm/1/ OR see code below (Checked only in Chrome)

<!DOCTYPE html> <html> <head> </head> <body> <form id="login"> <div> <label for="username">Username</label> <input id="username" name="username" type="text" /> </div> <div> <label for="password">Password</label> <input id="password" name="password" type="password" /> </div> <div> <input id="submit" name="submit" type="submit" value="Login" /> </div> </form> </body> <script type="text/javascript"> ;(function () { "use strict"; var login, user = {}; login = document.getElementById("login"); login.onsubmit = function (event) { event.preventDefault(); user.username = document.getElementById("username").value; user.password = document.getElementById("password").value; /* use the username and password here to do an API request over SSL using HTTP Auth */ } }()); </script> </html>
+7
source share
6 answers

When dealing with sensitive values โ€‹โ€‹stored in JavaScript, you have two main security concerns:

  • The sensitive value can be viewed as plain text in the source.
  • Another JS function on the page can hit the object and pull out these values โ€‹โ€‹(i.e. an XSS attack).

The second paragraph above becomes much more relevant when applications running from multiple sources on the same page (for example, applications for Facebook). In these cases, you need to take warnings not to expose vulnerable variables using closure for the namespace. You already do this: your user object is declared inside a closure. This prevents any JS function on the page from accessing the user object.

In your case, I assume that there is no other code on the page than your own, and the opportunity for injection is minimal - your code is safe :)

Edit: What makes saving a username and password in a cookie unsure that it is on your computer after you close your browser. If a hacker can access this cookie (in any number of ways), then you may have problems. What you did above is safe because nothing is saved on the client side after closing the browser (and while the browser is open, the other JS cannot access the values โ€‹โ€‹you saved). If you want to put something in a cookie, it is better to save some kind of public / private authentication key. There is a lot of discussion about this, here is a thorough article "Best Practice" on the topic: http://jaspan.com/improved_persistent_login_cookie_best_practice

+6
source

If the stored data is displayed inside the source code, then no, the toString method can be used to turn the body of the function into source code.

 function f() { var cryptoKey = "ABGASDJEOTATJKASDTNM..."; } alert(f);

If the data is closed instead of appearing in the source code, and there is no way this function can call eval in its body, then on modern interpreters, yes.

Advanced Netscape interpreters have extended eval so that it can be used to run code inside a function through eval("nameOfLocalVariable", fnToStealFrom) .

If a function calls one of its arguments, it can be stolen from.

 var f = (function () { var x = "secret"; return function (a, b) { return a(b + x.length); }; })(); f(eval, "x//");

steals the secret of EcmaScript 3 interpreters and, possibly, some EcmaScript 5 interpreters.

+1
source

Great to keep the value of the input field in the javascript value, because since the user entered it, they obviously know about it.

However! He is usually unhappy with saving user passwords as plain text anywhere.

Edit

SSL will make this very difficult (not impossible if you have enough time, but enough that it is what most of the Internet uses as secure) so that an attacker can intercept and recreate the message. Temporarily storing one password in the javascript variable entered on this page in order. But do not send it from the server in text form or you will wake up with bad headers.

+1
source

Not. What you need and need to do is:

  • protect your database. Store passwords as salted hashes, etc.
  • provide a connection. You will need to use SSL.

There can be no security in client javascript code. The user enters all the data in plain text, and thus, every script running on your page can be accessed. Therefore, you will need to prevent XSS. Of course, cookies are directly accessible to all scripts running in your domain, while data hidden in the scope of some functions is not a "global variable", but every malicious script can access it, as your own application does.

@your code: Itโ€™s true, no one can access the user object from the outside. But everyone can access the password entry element, and everyone can crack browser objects to look into the api request.

0
source

As your example, you are completely safe.

This, however, does not replace cookies. In your example, you save the password in the code locally, but unlike cookies, these values โ€‹โ€‹can never be used later.

It is better not to store the value at all and use traditional HTTP authentication through ssl.

0
source

deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts about Rehi deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts deez nuts

0
source

Source: https://habr.com/ru/post/921900/

More articles:


All Articles