Is Javascript Secure?

Is Javascript Secure?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Computer Software Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Is Javascript Secure? dredge 06-07-2006
Posted by dredge on June 7, 2006, 12:11 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Everyone,

I have been asked to build a PHP application that calculates important
financial information based on some user-inputted numbers and that will
not allow the user to continue forward unless a certain percentage
range has been met. To validate the numbers, I am considering using
Javascript as opposed to having the PHP code validate the numbers
because Javascript is faster (it is almost instantaneous because the
validation code is running on the client side and does not have to wait
for a refresh, as would be required for the server-side PHP
validation).

My question is: is Javascript secure? My concern here is that because
the Javascript validation would run on the client's computer, they
could potentially hack it to allow unacceptable financial numbers to be
submitted. Am I just being too paranoid here?

Thanks in advance,

-Karl


Posted by Bit Twister on June 7, 2006, 12:20 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On 7 Jun 2006 09:11:25 -0700, dredge wrote:

> My question is: is Javascript secure? My concern here is that because
> the Javascript validation would run on the client's computer, they
> could potentially hack it to allow unacceptable financial numbers to be
> submitted.

Saw an article on how sql injection was done.
They pulled the web page source to their box, chopped out the code
which tested input, then ran the page localy, injecting sql code to get
database data access.

> Am I just being too paranoid here?

Criminals are getting into cracking as a business.
I would be nervious.
Ask the lawyer how much could be sued for poor security code.

Posted by Todd H. on June 7, 2006, 12:48 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> Hi Everyone,
>
> I have been asked to build a PHP application that calculates important
> financial information based on some user-inputted numbers and that will
> not allow the user to continue forward unless a certain percentage
> range has been met. To validate the numbers, I am considering using
> Javascript as opposed to having the PHP code validate the numbers
> because Javascript is faster (it is almost instantaneous because the
> validation code is running on the client side and does not have to wait
> for a refresh, as would be required for the server-side PHP
> validation).

That would be a huge (albeit common) mistake.

> My question is: is Javascript secure? My concern here is that because
> the Javascript validation would run on the client's computer, they
> could potentially hack it to allow unacceptable financial numbers to be
> submitted. Am I just being too paranoid here?

No, you are paranoid with good cause!

By using a software web proxy (such as paros or spike) or firefox
plugins like tamperdata it is trivially simple to modify form fields
as they submitted to the server, bypassing all javascript client-side
validation.

Nothing will get you around the inconvenient necessity of having to
scrub all form field data on the server side and treat it as
malicious. Before you develop this application, I strongly recommend
you read the OWASP guide to open web application security:
http://www.owasp.org/index.php/OWASP_Guide_Project

Specifically to the issue you're discussing is data validation, which
is #1 on OWASP's top ten security threats to web apps:
http://www.owasp.org/index.php/Unvalidated_Input


Quoting that, "A surprising number of web applications use only
client-side mechanisms to validate input. Client side validation
mechanisms are easily bypassed, leaving the web application without
any protection against malicious parameters."


Best Regards,
--
Todd H.
http://www.toddh.net/

Posted by utternoncesense@gmail.com on June 8, 2006, 10:49 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I agree entirely with Todd. Client Side Validation is in no way a
substitute for Server-Side. They can be, and are often are, used
together, because - as you said - it's 'nicer' to get instant feedback
on your submission if you missed a decimal point. But you -must-
assume the input is bad after the user submits the form and check it
again.

If you want to get fancy, you could write some type of PHP code inside
a PHP variable, and for the Server-Side check eval() it, and for the
client side Javascript parse the variable replacing the few things that
are neccesary to replace (e.g., stripping $'s) and output the parsed
code as Javascript so you don't have to rewrite the PHP, but be careful
how you're handling input in the code you're going to eval - SQL
injection is bad, but if you let a User pull off PHP injection - you're
sunk. I wouldn't recommend considering this unless your Validation
Code is changing frequently.


Similar ThreadsPosted
Advice needed on secure remote datacenter and secure communication August 24, 2008, 8:36 pm
Secure Auditor secure your windows April 28, 2008, 6:24 am
Javascript exploit November 5, 2006, 5:00 pm
Malicious javascript obfustication October 22, 2006, 11:50 pm
Re: Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability December 19, 2005, 8:27 pm
Does SSL "secure" WEP? October 13, 2006, 3:40 am
Which Is More Secure??? January 4, 2007, 7:47 pm
is my network secure? November 26, 2005, 11:52 pm
is this webpage secure? November 29, 2005, 12:12 pm
Secure passwords? November 30, 2005, 2:45 pm

The site map in XML format XML site map

Contact Us | Privacy Policy