{"id":3235,"date":"2013-08-21T10:00:40","date_gmt":"2013-08-21T14:00:40","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=3235"},"modified":"2013-08-21T10:00:40","modified_gmt":"2013-08-21T14:00:40","slug":"how-easy-is-it-to-hack-javascript-in-a-browser","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/21\/how-easy-is-it-to-hack-javascript-in-a-browser\/","title":{"rendered":"How easy is it to hack JavaScript in a browser?"},"content":{"rendered":"

\"\"<\/a><\/p>\n

This Q&A is part of a weekly series of posts highlighting common questions encountered by technophiles and answered by users at Stack Exchange, a free, community-powered network of 100+ Q&A sites.
\nJesus Rodriguez asks:
\nMy question has to do with JavaScript security.
\nImagine an auth system where you’re using a JavaScript framework like Backbone or AngularJS, and you need secure endpoints. That’s not a problem, as the server always has the last word and will check if you’re authorized to do what you want.
\nBut what if you need a little security without involving the server? Is that possible?
\nFor example, say you’ve got a client-side routing system and you want a concrete route to be protected for logged-in users. So you ping the server asking if you’re allowed to visit protected routes and you go on. The problem is that when you ping the server, you store the response in a variable, so the next time you go to a private route, it will check that if you’re already logged in (no ping to the server), and depending on the response it will go or not.
\nHow easy is for a user to modify that variable and get access?
\nMy security (and JavaScript) knowledge isn’t great. But if a variable is not in global scope and is in the private part of a module pattern which only have getters but not setters, even in that case, can you hack the thing out?
\nSee the original question here.
\nSending secret data
\nJoachim Sauer answers (66 votes):
\nIt’s simple: any security mechanism that relies on the client to do only what you tell it to do can be compromised when an attacker has control over the client.
\nYou can have security checks on the client, but only to effectively act as a “cache” (to avoid making an expensive round-trip to the server if the client already knows that the answer will be “no”).
\nIf you want to keep information from a set of users, make sure that those users’ client never gets to that information. If you send that “secret data” together with instructions “but please don’t display it,” it’ll become trivial to disable the code that checks that request.
\nAs you see, this answer doesn’t really mention any JavaScript\/Browser specifics. That’s because this concept is the same, no matter what your client is. It doesn’t really matter it’s a fat client (traditional client\/server app), an old-school Web application, or a single-page-app with extensive client-side JavaScript.
\nOnce your data leaves the server, you must assume that an attacker has full access to it.
\nRelated: “What’s the best way to learn how to develop secure applications?”
\nAnother route
\nBenjamin Gruenbaum answers (17 vote):
\nPlease read Joachim’s answer before reading this one. He covers the general reasons behind client-side vulnerability. Now, for a suggestion how you might get around this problem:
\nA secure scheme for client-server communication without having to authenticate with the server manually on every request:
\nYou’re still letting the server have the last say and the server still has to validate everything the client says, but it happens transparently.
\nAssume HTTPS protocol to prevent MITM (man in the middle) attacks.
\nClient handshakes with server for the first time, the server generates a public key for the client and keeps a private one in an asymmetric encryption scheme. Client stores the server’s “public” key in the local storage, encrypted with a secure password you don’t save anywhere.
\nThe client is now offline. The client wants to perform trusted actions. The client enters his password and grabs the server’s public key.
\nThe client now performs actions based on his knowledge of that data, and the client encrypts every action he performs with the server’s public key for that client.
\nWhen the client is online, client sends its client ID and all actions the client performed are sent to the server encrypted with the server’s public key.
\nServer decrypts the actions, and if they are in correct format it trusts that they originated in the client.
\nFull Story How easy is it to hack JavaScript in a browser? | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

This Q&A is part of a weekly series of posts highlighting common questions encountered by technophiles and answered by users […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9],"tags":[341,584,1177],"class_list":["post-3235","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-exploit","tag-javascript","tag-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-Qb","jetpack-related-posts":[{"id":6401,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/09\/10\/comcast-wi-fi-serving-self-promotional-ads-via-javascript-injection\/","url_meta":{"origin":3235,"position":0},"title":"Comcast Wi-Fi serving self-promotional ads via JavaScript injection","author":"NCCT","date":"September 10, 2014","format":false,"excerpt":"Comcast has begun serving Comcast ads to devices connected to one of its 3.5 million publicly accessible Wi-Fi hotspots across the US. Comcast's decision to inject data into websites raises security concerns and arguably cuts to the core of the ongoing net neutrality debate. A Comcast spokesman told Ars the\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/09\/javascreener-640x74.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/09\/javascreener-640x74.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/09\/javascreener-640x74.png?resize=525%2C300 1.5x"},"classes":[]},{"id":6713,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/10\/28\/rogue-tor-exit-node-server-added-malware-to-legitimate-downloads\/","url_meta":{"origin":3235,"position":1},"title":"Rogue Tor ‘exit node’ server added malware to legitimate downloads","author":"NCCT","date":"October 28, 2014","format":false,"excerpt":"The Tor Project has flagged a server in Russia after a security researcher found it slipped in malware when users were downloading files. Tor is short for The Onion Router, which is software that offers users a greater degree of privacy when browsing the Internet by routing traffic through a\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8135,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/27\/just-released-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites-updated\/","url_meta":{"origin":3235,"position":2},"title":"Just-released WordPress 0day makes it easy to hijack millions of websites [Updated]","author":"NCCT","date":"April 27, 2015","format":false,"excerpt":"Our blog was not affected...NCCT Update: About two hours after this post went live, WordPress released a critical security update that fixes the 0day vulnerability described below. The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OCqQZJZ1Ie4\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":3067,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/07\/31\/some-home-automation-systems-are-rife-with-holes-security-experts-say\/","url_meta":{"origin":3235,"position":3},"title":"Some home automation systems are rife with holes, security experts say","author":"NCCT","date":"July 31, 2013","format":false,"excerpt":"A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave. Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights, and other sensitive\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/images.techhive.com\/images\/article\/2013\/07\/veralite-copy-100048275-large.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/images.techhive.com\/images\/article\/2013\/07\/veralite-copy-100048275-large.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/images.techhive.com\/images\/article\/2013\/07\/veralite-copy-100048275-large.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":6733,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/10\/30\/drupal-users-assume-your-site-was-hacked-if-you-didnt-apply-oct-15-patch-immediately\/","url_meta":{"origin":3235,"position":4},"title":"Drupal users: Assume your site was hacked if you didn’t apply Oct. 15 patch immediately","author":"NCCT","date":"October 30, 2014","format":false,"excerpt":"Users of Drupal, one of the most popular content management systems, should consider their sites compromised if they didn\u2019t immediately apply a security patch released on Oct. 15. The unusually alarming statement was part of a \u201cpublic service announcement\u201d issued by the Drupal project\u2019s security team Wednesday. \u201cAutomated attacks began\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6247,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/19\/microsoft-pulls-its-august-windows-update-after-users-report-crashes\/","url_meta":{"origin":3235,"position":5},"title":"Microsoft pulls its August Windows update after users report crashes","author":"NCCT","date":"August 19, 2014","format":false,"excerpt":"Microsoft has pulled its August Update for Windows after users reported crashes and issues restarting their systems. The company is currently recommending users uninstall the update. Microsoft said that it discovered issues relating to four individual updates associated with the August Update: 2982791, 2970228, 2975719, and 297533. The updates addressed\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=3235"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3235\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=3235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=3235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=3235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}