File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes HTML, CSS and JavaScript and the fly likes Securuty with javascript ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "Securuty with javascript ?" Watch "Securuty with javascript ?" New topic
Author

Securuty with javascript ?

Leandro Melo
Ranch Hand

Joined: Mar 27, 2004
Posts: 401
Hi,
i`d like to know security stuff about javascript. How user (or hackers) can manipulate javascript content in the web pages? What they can do using the location bar of the browser like calling functions, writting code or erasing code?
Does anyone know any link or book good at that???
Thanks,


Leandro Melo
SCJP 1.4, SCWCD 1.4
eammon bannon
Ranch Hand

Joined: Mar 16, 2004
Posts: 140
JavaScript executes client side - what does it matter what users do to a page once they've download it?
Eric Pascarello
author
Rancher

Joined: Nov 08, 2001
Posts: 15376
    
    6
Paste the following code into the address bar of the reply page.

Hit return...
Now do you see why people should be scared. I can sit here and change anyhing on the page, if there is a readonly field for a discount, I can change that to make the item free.
It is not hard to do. I can make the reply page post to another forum and thread. It is not hard to do. Is there any books on this.. Not that I know of. All you need is to know what JavaScript can do and try executing it from the addy bar on any page.
This is the reason why server side coding and validation is so important!
Eric
Leandro Melo
Ranch Hand

Joined: Mar 27, 2004
Posts: 401
Actually, i didn`t work for me (pasted in the address bar and pressed "return"??? ).
Anyway, that`s the kinda of things i`m talking about.
Do u know, at least, a good javascricpt book (or link) about how to avoid theese kinda of things???
thanks,
Eric Pascarello
author
Rancher

Joined: Nov 08, 2001
Posts: 15376
    
    6
I wrote something on my blog about this today:
http://radio.javaranch.com/channel/pascarello/2004/03/30.html
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61198
    
  66

Eric's point is wise and should be heeded! I don't know how many times I've gone 'round and 'round about this in the JSP forum.
JavaScript validation and other things that you do on the page are there for the "user experience". You can do some wonderful things with JavaScript on your pages. But never, ever let your server-side code assume anything about what happened on the client!
If you perform validation on the client side (so that user don't have to wait for a server-round trip to find out that they need to fill in a field and such) that's a nice thing, but your server-side code should always perform validations regardless of whether you performed client-side validation or not.
And even more important, coding business rules into your forms (as Eric's example points out) will only lead to heartache and pain.
[ March 30, 2004: Message edited by: Bear Bibeault ]

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Yuriy Fuksenko
Ranch Hand

Joined: Feb 02, 2001
Posts: 413
It always amased me, how many things people put into a form as "hidden", and how often thay rely on "readonly" or "disabled" stuff.
As least harmfull - message length limitation and validation in chat rooms .
I don't think you will find any books on this particular subject.
But basically, any JavaScript function or set of commands could be executed from an address bar - just start trying.
The tool I have on my page - Web Code Expert, could actually help you with manipulation with someone else page - it acts just like a browser, allows you to view/edit code, execute JavaScript and so on, and it is free. And the tool itself is written in JavaScript.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Securuty with javascript ?