Javascript Security

No comments

This image shows a picture about JavascriptJavascript is a cross-platform client side script language. It is widely used and convenient to be added for any client side tasks. However, a Javascript code without careful inspection could lead to serious security issues.Hackers are looking for two types of Javascript security vulnerabilities on your website. One is that if they can force your code throw an uncaught Javascript exception and thus stop the who page’s running; the other one is that if they can inject an external Javascript script file to your page and call your methods from their page. For anyone who have experience debugging Javascript, they know if an uncaught Javascript exception is thrown, the page will stop responding, not only the Javascript part, but also most of the server calls, because most of the server calls are initiated by the Javascript code on the page. Once the page stops responding, the hacker then would be able to do more things through the stopped page. One famous example of what pages under this scenario can do is that in the early days, iOS jailbreaking is done through using safari to load a page with intended broken Javascript code. On the other hand, the nature of Javascript makes code injection easily possible. If the javascript function on the page is independent, any hacker would be able to create their own Javascript file and just call the function they want because there is no encapsulation among the top level functions in Javascript. If the function called by the hacker happened to do any CRUD on database, the whole system is exposed to hackers’ attack.

Basic Method To Solve

To the two issues we talked above, we do have methods to solve or avoid them.
To avoid the attack through Javascript exceptions, the solution is simple: catch or avoid every possible exception. However, the simple solution might not be that easy to achieve. Javascript has following data types: String, Date, Number, Boolean, Array, Object. It also can have null value and undefined status. Be careful to validate the data according to those data types and value types should help a lot. Also remember to use “===” when you need to do strict comparison.
The solution to the other problem is more complicated and tricky. Each companies in the industry has different solutions, but most of them share the same concept. The basis of the concept is that every function would be hide into a module as a property of the module object, which only can be called by a controller, while the controller would be started on document.ready, monitoring and responding to page events, but not possible to be called from outside. Therefore, the only way to call the method is to have the correct event on the page, then the controller which is listening to the certain event is calling the method inside of the corresponding module. This won’t eliminate all the vulnerabilities but it will improves security by a lot. Be sure to talk to the architect for the solutions your system should be using.
Years ago when I was working for a top tech company, the architect there had an excellent statement about the security of Javascript: “you should never let outside code control our site!

Are you interested in keep your skills fresh? Just subscribe to our blog and follow us on and follow us on Facebook, LinkedIn and Twitter. You can always reach us at Contact Us

AthenaJavascript Security

Leave a Reply

Your email address will not be published. Required fields are marked *