i'm new to use javascript
now i can edit my javascript code from browser using firebug.
any idea, to detect or avoid edited javascript from client browser ??
You can't.
You can (and should) use server side code to check that any data sent to the server is sane, but you can't do anything to stop people sending whatever data they like.
It is not possible to prevent people from tinkering with your js in the browser, since js is sent as-is, from the server.
You can however obfuscate your js to make it slightly harder to edit. (Another link)
Related
I have a php script in my application, this script should be triggered only by a js script from my application.
Actually, I'm trying to convert js errors to php errors, so I intercept js errors and send them to a php script.
The problem with this approach is that then anyone is able to use the php script as well (and possibly spam the service).
I'm looking for a general approach here or for ideas to make a secure service.
So far, I found those options:
create a unique php key that one (the js script) must send in order to "post" an error to the php script.
That's my best option for now, but unfortunately, so far, no matter how complex my key, or logical secure system is,
I cannot find a 100% "uncrackable" solution (I can make it pretty hard for a potential spammer though).
use the html5 FileSystem api, but the problem is that the files that we can write to are browser dependent.
And then maybe watch for changes in those files, and notify php when a change is made.
Do you have other ideas in mind ?
I am building a website which uses a lot of javascripts. I want to know if a user can edit the js too along with seeing it.
For example, I have an ajax function which calls a.php. Can user just edit the js function in firebug or something similar to make it b.php which I want don't want to be available to everybody.
Similarly, I call an ajax function with parameter x. Is it possible for a user to make that parameter y and then call that function.
Yes. Anything in the user's browser is under the control of the user.
You have control over nothing beyond the edge of your HTTP server.
Anything that is front end, that means, HTML, CSS javascript in any of its forms or any other scripting client side languages can be modified and it is your job as a web developer to expect them to be modified by curiosity of the user or just to try and find vulnerabilities.
That is why while having client side validations (javascript in any form or just HTML5 ones), it is also of utter importance that you actually validate this stuff on server side, with whatever language you are using (PHP, Ruby, ASP just to give a few examples).
On Chrome, users can easily press F12 on their keyboard to see your javascript/html/css code and try to modify it, we as web designers/developers do it as well for just inspiration, check out how something works, and well expect other people with different intentions to do it.
Same goes with Firefox, opera and pretty much any other web explorer.
Your job is not to prevent this, but to prevent that when someone changes something on the client side, the server side is ready to respond back in an appropriate way, preventing harm to the information on your servers.
To give a concrete example, that is why people take so much time in making sure queries to databases are sanitized, and not subjected to sql injections. More information about those here: http://www.unixwiz.net/techtips/sql-injection.html
So no, you can't prevent users from modifying your front end files, at most you can try some practices I've seen around like disabling right click (really annoying).
While I was developing some web apps, to me it became optimal to use a web service to interact with the server, and the rest I was enjoying to do with client side (JQuery). but when I was testing my code, I encountered a huuge hole in it, and i don't know how to prevent it.
The problem is that I can easily inject javascript and run any functions including webmethods from firefox's firebug tool.Is it a something known, and what should be done to prevent it.
THank you
This is not a hole at all. The client can only run JavaScript code on the page that they have downloaded from you on their own computer. It has no affect on your site at all.
As for the ability for them to make requests via JavaScript -- well, they can make requests via the browser too. What's the difference? Just make sure that your server properly validates all requests -- it should treat any request as if it were as malicious as possible.
I am writing a JavaScript application where I plan on host the code on a CDN. Now I plan to include this code to my clients' sites. However, I have a problem, I want to use AJAX to communicate between the client and the server. Now, from my understanding of XSS, this is not possible.
Ex:
User visits site.com, where a script tag's source is pointing to a file on cdn.somedomain.com
The script on cdn.somedomain.com fires an event.
This event will communicate with a PHP. I know it is possible for the script from cdn.somedomain.com to request documents on site.com. However, is it possible to send data back to a PHP file on cdn.somedomain.com?
Thanks for helping an entrepenuer! :D
The short is I think this is possible, but it depends on a couple of things. The same origin policy is a weird thing in that it won't allow cross domain reads, but will allow cross domain writes.
I think a way you could accomplish your goal is by making a GET request (minimally by creating an iframe, img, or whatever else that pulls a src) or possibly even using AJAX. If your goal is to only send data, then that should be fine. However, if you want to read this data back then I think that'll be a little less straight forward. I can't really answer that right now - especially without knowing more details about your system setup.
Sounds like a weird use of a cdn. Normally cdns serve static assets, so you wouldnt put a php file there. In fact the cdn wouldnt normally run dynamic server side code at all.
You can address the problem in several ways. Newer browsers support CORS and cross domain ajax. The cdn would then have to use the Access-control-* headers. You could also look at something like easyXDM, which works in older browsers.
I have a series of JSON Objects I want to save locally on my server. I am attempting to avoid any server-side script like PHP as required per demand of whats being built. I know its a security risk, but that in this case is not a particular worry. So that said is it possible to actually write to a file and or get its contents via javascript with or without the help of a lib such as jquery?
I should mention I am attempting to avoid ActiveX as I know this is an IE only feature and the software we are developing is planned to be Cross Browser supported
So that said is it possible to actually write to a file and or get its contents via javascript with or without the help of a lib such as jquery?
Nope. You will need something running on server side that can receive your JavaScript input and write it to the server.
Internet Explorer's proprietary file writing functionality is for writing local (client-side) files only.
You can read a file using ajax, but without a server side language you cannot write a file to the server.
https://developer.mozilla.org/en/ajax
No. Javascript runs on the client. You need server-side code to access the server's file system.
Client-side JavaScript can only send data to a server, there's no way for it to tell the server what to do with the data.
To save data to a file or db on a server, you'll require a server-side script of some sort (could be server-side JS with Node.js). If all you need is persistent data, you could store some JSON strings in localStorage or in cookies as needed. They wouldn't be shareable that way though.
Yes, you can use AJAX requests in JavaScript without using jQuery. However, jQuery will save you an ungodly amount of time and cross-browser testing.
But, as others have already said, you can't write server files without server code.