Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
If I were malicious (or malicious and thoughtless) I could add some PHP to websites I'm working (or back-end web applications I'm building) that can send some data I'm not authorised to have to my remote server. There are numerous ways to achieve that.
I was wondering: can Javascript do something similar?
For example, is it possible to be spied by using some html/css/javascript web template which will disclose informations from(about) my website - send any kind of information from my website/web app to remote server of malicious developer?
Thanks in advance.
Yes, of course you can send data to other servers using javascript. The difference to your PHP-snippet approach is only that it is executed client-side, at the user's view of the application. So, you can only leak data that the current user is knowing, and you can only compromise the application with the rights of the current user (and his credentials).
However, it would be more difficult to detect javascript injections (which can also happen clientside or during the transfer) than malicious PHP snippets.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I am working on a "system requirements" project - where I need to know my visitors system hardware. It must work online. I know I can get the visitors GPU info but can't get CPU, RAM, HDD, etc.
Is it possible to obtain a visitor's hardware information?
In short, no.
PHP runs on the server and only has access to it and data sent to it.
Javascript runs on the client but is sandboxed and has no direct access to the hardware layer (just limited information about the GPU).
All services that do offer this kind of "scanning" (nVidia, etc) - use a downloadable application that scans the hardware for that platform then returns the result to the web service.
So you can do it, but you would need some additional software that can run on the client machine that can access the data you require.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
How do services which have JavaScript client libraries secure those libraries and the APIs they call? Specifically:
Ensure library is only loaded on valid sites.
Ensure a user doesn't just open up the console and start making calls.
Any other major considerations to be made?
Ensure library is only loaded on valid sites.
You can't and you don't. Security in client-side JS is futile. If you're talking server-side JS, you're pretty much pwned if arbitrary code is able to execute server-side.
Ensure a user doesn't just open up the console and start making calls.
Most services require some form of API key/token, a value that needs to go with your API requests so that the service can check its validity. This value is usually only obtainable by being a registered user of the service. That means an API key is tied to an account. If the service finds out that you're breaking ToS, they can simply block your API key or account altogether.
For public APIs, there's a combination of rate limiting, tracking and blocking (i.e. IP or a fingerprint of some sort), referrer checks (ensure something is only loaded by a certain page, not somewhere else), UA checks (ensure a browser is downloading, not a bot, app or something), and more. Individually, these checks are easily spoofed, but combined, can be a deterrent.
Well, since your js basically lives client side then the only thing you could really do there is make users authenticate before they can really get your libraries. Anything past that would really just be a tiny roadbump to anyone who really wants to manipulate your js.
Where you do have and can maintain control is securing your API calls. The most popular forms are with basic auth, OAuth, and IP whitelisting.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I have to build a website which involve e-commerce stuff like it should allow the users to login and then view the available items. Once the user selects the items and makes payment, it may need additional information in the form of some images/videos to complete the order. So, after payment step, it prompts the user to upload the file and when the file is uploaded on the server, request is complete and the user is kept informed about the status.
All the core functionality is already implemented using REST-ful webservices. I am not able to decide if I should implement the website using HTML+JS (using AJAX to call webservices) or should still use JSP and call webservices using java at server side? Someone suggested me that using JSP is better since it will execute on server side and hence will be secured and faster. But, I somehow feel that HTML+JS is easier to go. Is there some specific advantage to use a server side script like JSP for this purpose? Any ideas are most welcome.
Yes server side scripting will be fruitful for this purpose for security constraints. Or you can use angular js though they are easy to learn and they are secure and can make fast XHR request response. :)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I made a database that holds information about clinical trials and so far I have been accessing and writing to it using php. I was wondering if there was a way to read/write to a SQL Server database using javascript or jquery? The UI I am developing will be for adding clinical trial data to the database. Only the DB admins will have access to this UI so security should not be a "huge" problem.
You need a middle tier like php, rails, java... to do the database write. You can't do this from the browser with javascript. But there is Node.js, which allows you do write javascript on the server.
In short, no. Even if there was, you should never leave data validation to the client. Just because your DB Admins are trustworthy, doesn't mean those who break into your network will be. DROP TABLE ClinicalTrialData; would be a bad thing. Use PHP/backend of choice to do the donkeywork and use AJA[X|J] if you want a slick UI experience.
Only server side Javascript methods such as using NodeJS as your server. Never put your database credentials on the front end unless you want people to directly access your database.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Do you know any modern JavaScript blog engine or script which runs on client side? I am not talking about node.js, but rather a script which doesn't need more than static WWW server (i.e. no PHP).
It should:
fetch blog posts from some JS database (e.g. localStorage, external JSON backend)
render them using some HTML template
allow to link to specific post
possibly allow to edit posts and send them back to the database?
I know about JavascriptMVC, AngularJS, Backbone, Knockout, etc., but they are rather frameworks than complete apps. I'm searching for something similar to the old JSCMS.
Update: Searching through GitHub I have found some desirable projects: MiniLOL and Static Site CMS. Do you know any more?
Sure you can do it but everyone would have to be on the same computer for the "blog engine" to work. It's almost equivalent to everyone using the same text document.