Can JavaScript variables be easily modified maliciously? - javascript

I am setting up a quiz that uses boolean variables for correct/incorrect and then passes those variable values to a PHP script via Ajax for processing and storing in a database.
How easily could someone override the values set by my code with after finding the var names with "view source"?

Yes.
You should send the answers to the server and let the server grade the quiz.

They can do it easily using Chrome/Firebug Console by issuing a Javascript command over there like
var your_var_name = 60;
You must have backend synchronization also to prevent this.

for testing purpose you can use firefox add on firebug or chrome's developer tool kit. Change your javascript variable using inspect element and than perform action of button which posts your data. On server side you should make sure that posted variable must be any of variable that is in option of answer of that question.

Related

Can my JavaScript code be edited at runtime by (malicious) users?

Can my JavaScript code be edited at runtime by (malicious) users, even when it is uploaded in a web hosting site?
For example if I declare a variable in my script something like:
var myvalue = 2;
I want to know if it can be edited to:
var myvalue = 1;
Short answer: yes.
Anyone can open the browser's Developer Tools and change values, execute arbitrary code, remove or change or edit anything they like.
So if there is anything crucial in your application where an invalid value could cause a security or data validation issue, then, if that data (or data which is derived using that value) is submitted to the server, it must be re-validated using server-side code (which of course cannot be changed) before being accepted.
P.S. Bear in mind that any edits to the code or variable values will only persist until the next time the page is re-loaded. When the page is refreshed, the JavaScript and HTML files will be downloaded again from the server and all code and variable values are reset to their starting state. Assuming there are no other security vulnerabilities in your server, then a malicious user cannot edit the original source code files which are stored there. They can only change the copy which gets loaded into the browser.

HTML download counter without PHP

I'm wondering if it's possible to make a download counter without the use of php. I have been told it's possible but cannot find anywhere that has helped me.
I am trying to save the counts to text file on the server. I cannot use php as my server does not allow the use of it. I have tried javascript but can't seem to get anything working. Any suggestions or guidance would be appreciated!
The server allows, html, javascript, and css.
PHP is the most common server language available on hosting services, if your server does not allow it, it's possible you can't use any language at all on the server side.
Let's assume you can't use any language on the server side, then there is two possible actions.
use a third party server where you can save your data.
save locally your data using javascript.
Using a 3rd party service might be complex to implement and you need to learn a bit about cross origin request. You will need to add a few javascript librairies and understand a lots of concept so I'll just go with the easy one.
You browser have a localStorage wich can be access through Javascrip
https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage
[!] Know that this will be save only on your browser therefore other users or session will not have access to the counter.
// get the saved value or zero if not found
var count = localStorage.getItem('so-demo') || 0;
// increment the value by 1
count++;
// save the value
localStorage.setItem('so-demo', count);
// show the actual value
document.getElementById('theValue').innerHTML = count
<div id="theValue">localStorage is not allowed on stack overflow but works elsewhere</div>
The similar question had already been raised, check out this topic
The way suggested with Google Analytics out there is quite a good idea

Sending data to external js file without it being visible to user (CodeIgniter)

I want to send a variable from my controller to a view which then uses that variable as a parameter for a Javascript function found in an external file. I know that, for example, I could pass the variable from the controller to the view using an array, and then use:
var quiz_key = <?php echo $quiz_key; ?>;
to pass the php variable to a javascript variable, which I could then use as a parameter for the function. However, in doing this, the variable becomes visible if a user was to View Source and see the html. Is there a way of accomplish this to where the variable would not be visible in this context?
Thanks in advance! I'm still getting the hang of this so any help is appreciated!
No. As javascript is not a server side language, but it runs on the client's browser, it cannot be completely hidden from him. You can hide this piece of code, obfuscate it, minimize it, but it can be found eventually.
You can set up a node.js server on the remote machine, connect to it, send it some variables, then process them and return to the client the result, but that's much more complex sollution.
I'll Vote for using Ajax. nodejs is good but if you are in a hurry you should use Ajax.

Using PHP - is it possible to set SessionStorage in the browser?

Im pulling in a $_SESSION variable coming from my database, either: $_SESSION['lvl'].
After the level is fetched, I'd like to store that variable in the browser's session as key value pairs using the sessionStorage API; is this possible?
I do not see any docs or info as it looks like this is only possible using JavaScript.
I'd like to set it within my PHP service.
Any advice is appreciated.
Well, you need to produce Javascript code that will do it on the client, and it's gonna be a pain to get the value on the server side.

Asp.net access sessionstate from JavaScript

Our system using HttpContext.Current.Session("Client") to store the current user info.
One property in the session is a roleID i.e. CType(HttpContext.Current.Session("Client"), Client).RoleId
By checking the value of RoleId, the system can identify whether the user can access a couple of pages.
I've validated it in the server-side. But for the easiest way to present the Notice Message I think is using JavaScript.
So is it possible to get the session value in JavaScript (even in a external JavaScript)?
How about Cookie? What is the drawback for adding Cookies for an existing system?
And any other suggestions if you have.
Thx
Yes, I did the validation in server side. Later again, I'll add restrictions in DBs as well.
Result:
I used webMethod inside a web service, caz it is a Master Page.
Thanks for you answer.
but another issue raised:
Trigger/Prevent page event by using asynchronous webmethod return value in JavaScript
please give me some advise on that question as well, thx.
You could do it as a cookie, but it would slow down your round trip for every resource. Hence, I don't recommend this approach.
One option is to have a dynamic page that returns a javascript object in global with the appropriate variables printed out. You then could just include it as a standard script tag.
Another approach is to make an AJAX call.
Keep in mind, you should still always validate the base request and never trust the client.
Sending roles to the client and using JavaScript for business logic based upon these roles is a security risk. Users (hackers) know how to manipulate client-side code to gain access to things they're not supposed to.
I recommend sending down only the content the user has access to or use AJAX to retrieve the content dynamically from the client.
But to answer your question, no, you cannot retrieve session data directly from the client.
You can make ashx page or WCF service and call that with javascript. But don't return roleID and check that ID on client, instead just return true / false if user has access. Use jQuery ajax call to ashx or WCF service, you should find tons of examples on google

Categories

Resources