All geek questions in one place

Can a hacker enter values ​​into my jQuery function?

I get unexpected data from my web application. Can a hacker change values ​​in a javascript function?

If my code is:

my_function('new_item',10,20,30,40);

Is it possible that the parameter 'new_item' has been changed? What can I do to prevent this?

+6
source share
2 answers

Yes, any user can change any JavaScript that you send to their browser - the word “hacker” is overestimated, because even an experienced user with full confidence can separate each other using Firefox Firebug or the Chrome / Safari Securities Inspector. For this reason, web developers repeat the axiom:

Do not trust user input!

Under no circumstances should you trust anything the user submits. Do not insert anything into the database without escaping it, do not trust the login credentials if the session cannot be verified. All that you trust is a vulnerability, and each vulnerability will one day be exploited.

Do not try to protect your JavaScript, which is impossible. Instead, check everything that the user is trying to do: if they request a page that they are not allowed to see, do not serve it for the client, even if JavaScript requests it.

+9
source

There is NOTHING you can do to ensure that all of your client codes are protected, there are some ways you can do to help make this more difficult, but they really do not help at all as a more advanced hacker can easily get through.

For example, if you used

 <script></script>

Tags for links in your code through other documents. For example, you can, say, have 4 scripts. scripts 1,2 and 3 to get to 4, where the main functions. This will not interfere with anything, it will simply complicate for beginner "hackers" / people undercover. - But it is only mostly effective on chrome javascript console. Firebug doesn't care where scripts are placed in the DOM. Therefore, it simply proves that instead of spending time on HIDE your javascript code or trying to completely protect it ( impossible ), you should spend time checking things in the back.

Just remember that there is no way to completely prevent a hacker from interfering with his client code. You should never trust anything on the client side. PHP can be very convenient for any internal checks. Also make sure that you prevent SQL injection in PHP. But do not think that you are safe because you used the mysql_real_escape_string() ether. Read more about it here: SQL injection that spreads around mysql_real_escape_string () . I personally recommend PDO for your db code.

Just think that your server side code (like PHP) is the main moat. Now think of client code as a wooden fence around this moat. Any soldier can easily knock down this wooden fence, but they will have to break into the moat to get to your place - (they had to pass a PHP test), if the moat was unguarded (no PHP check using variables), then the soldier could unearth so that no one looks.

^ Now think of it as how your site is. Is the moat vulnerable to digging? If so, there are some guards there (make sure you provide php checking.)

SHOULD NEVER NEVER BE REALLY when it comes to the client side. There is NO protection for this wooden fence. Even javascript advocates cannot protect it.

[I edited this answer a lot, because at first I didn’t quite understand what I really meant.]

-2
source

Source: https://habr.com/ru/post/923743/

More articles:


All Articles