Geek Answers Handbook

Is the bad form for javascript execution returned by an AJAX call?

I am modifying an existing web application that allows you to manage users who can log in. When user data is changed through a dialog, the update data is sent to the server via AJAX. A few javascript lines to then refresh the current page to reflect these changes are returned with the goal of making them. This seems like a bad form to me - doesn't starting JS remotely is dangerous?

If I were to change this, I would have an AJAX call that sends the updated information, and then calls another function that receives the latest data from the server via AJAX (or just refresh the page if I feel lazy). Are there any advantages (mainly security, but from an architectural point of view) to make this change, or am I anal?

+7
source share
6 answers

Assuming we are talking about eval used for non-json.

People will tell you all about things, most of which have a certain basis in reality. I would say that one of the reasons that is really understandable: it will make the code a nightmare to maintain, and it will be very difficult to track errors.

There are security issues, many people like to jump to "javascript is a customer problem." I say if this comes from your site, this is also your problem.

In the end, there is no good reason that I can think of to eval javascript from the server. Transfer data from the server and write javascript on the client side to respond to this data.

+4
source

All JS executed by the browser are deleted remotely.

The server that returned JS / JSON via AJAX is the same server on which the HTML code that caused the AJAX call was returned.

If it is possible to do something bad, it can be done if you eval result of an AJAX call or not.

+3
source

Personally, I do not see a problem. Of course, people say things like β€œIt allows you to execute code on the client side,” however, if a potential attacker can influence this, then your problem is not being able to modify the code.

Seriously, I think you have much more serious problems than this. I personally would spend 10 minutes or so looking through your code and looking for flaws instead of working on an alternative to eval (). I think this will improve your security even better.

Mike Samuel mentions MITM. I do not understand why. If you are susceptible to a MITM attack, the likelihood is that the code can be entered directly on the HTML start page (again, of course, a slightly higher risk, but is it really worth worrying about your choice.)

+2
source

If a trusted developer wrote everything and you protect it the way you do the rest of your HTML page, then no.

But even if it is JavaScript written by trusted developers, if it is served via HTTP, then an attacker can modify it in flight, because HTTP through a free wireless network is often susceptible to MITM .

This can be used to effectively set the keylogger in the current browser window, to steal user passwords, redirect them to phishing pages, etc.

An attack can work as follows:

  • The webpage performs a GET up to http://example.com/foo.js .
  • The attacker modifies foo.js mid-flight to add the JavaScript that window.addEventListener("keypress", /* a keylogger that sends all keys to evil.com cross domain by image loading tricks */)
  • The browser loads the modified JavaScript.
  • The user enters the password in <input type=password> .
  • Evil wins.

Since HTTPS (in the absence of mixed content) is not sensitive to MITM, it is not vulnerable to this attack.

+1
source

Answer Sort: Yes

Long answer: you should just send data for security reasons and keep your implementations separate.

Improperly sanitized user-generated content or ads can enter code and run it. Of course, this should be a targeted attack, but maybe you are working on a launch that will become the next Google system or forum, which will become the next vBulliten. Even if you have 10 users, security holes are still holes and still bad for you and your users. In addition, the poor safety advice surrounding SO will force others to make bad decisions.

Do you really want to make sure that the code that you generate on the fly and send to the client is correct in all possible cases? What if someone works on only one half of the system? Will they know every variable name to avoid stomping? Just sending data is the best way to save a β€œsmall” change in your client / server connection, to break everything in a way that is not obvious, and debugged forever.

0
source

You probably don't want to just call another function after sending the data update, because then you can display information that is not true if the update is not performed. At least with the current model, your service can adapt javascript based on whether the update was successful. You might want to consider whether the service returns true / false and the callback function handles updating the user interface.

0
source

More articles:


All Articles