aspose file tools*
The moose likes HTML, CSS and JavaScript and the fly likes Is it possible to modify the value of Javascript variable at client end Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "Is it possible to modify the value of Javascript variable at client end" Watch "Is it possible to modify the value of Javascript variable at client end" New topic
Author

Is it possible to modify the value of Javascript variable at client end

Saurabh Pillai
Ranch Hand

Joined: Sep 12, 2008
Posts: 509
as a hacking attempt.

If yes, how easy it is? Does a developer need to be concerned about it?
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18887
    
    8

Well, let's put it this way: using Firebug I can step through your Javascript in debug mode. I don't recall whether I can change the value of Javascript variables while I'm doing that, because I haven't ever tried it, but I wouldn't be surprised. You could try that yourself to see. I have also used Firebug to edit the HTML of pages so that I can submit requests which the site owners didn't expect, too.

So I would say yes, you do need to be concerned about that sort of thing.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61618
    
  67

Your server needs to validate all data coming from the browser. Always.

This is just one of the reasons that client-side validation is insufficient for security.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Saurabh Pillai
Ranch Hand

Joined: Sep 12, 2008
Posts: 509
Thank you guys.

Consider this scenario,

You and few other people including manager, CEO and engineers are working on an assignment. Everybody has input on given assignment that they can give by leaving a note in the system (web application). You can see any notes you are authorized to. In current implementation, we fetch all PKs(Primary Key) from note table that you are authorized to and save them in JS array. so when you navigate from one note to another, we simply fire a query by note id and get the content. No second checking at server end. So if it is possible to modify the JS variable, array etc, they can get access to the notes that they are not authorized to. Glitch.

So now I have to change the implementation to validate the requested data. More workload on server to KEEP the data safe.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61618
    
  67

Saurabh Pillai wrote:So now I have to change the implementation to validate the requested data. More workload on server to KEEP the data safe.

This is always a must. It's not "more workload". It's what has to happen. Always.
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30919
    
158

Yes, it is possible to modify the JavaScript variable. However, that isn't even necessary to get data the user shouldn't see. All the person has to do is change a form value. If you are using GET, this parameter value is already in the URL. If not, Firebug can change a pOST form to a GET form and then it is in the URL. Now someone can just start trying different numbers as that id and keep submitting to see what happens.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Is it possible to modify the value of Javascript variable at client end