Client-server applications, whether they involve JavaScript or not, must assume that untrusted clients may be under the control of attackers. Thus any secret embedded in JavaScript could be extracted by a determined adversary, and the output of JavaScript operations should not be trusted by the server. Some implications:
* Web site authors cannot perfectly conceal how their JavaScript operates, because the code is sent to the client, and obfuscated code can be reverse engineered.
* JavaScript form validation only provides convenience for users, not security. If a site verifies that the user agreed to its terms of service, or filters invalid characters out of fields that should only contain numbers, it must do so on the server, not only the client.
* It would be extremely bad practice to embed a password in JavaScript (where it can be extracted by an attacker), then have JavaScript verify a user's password and pass "password_ok=1" back to the server (since the "password_ok=1" response is easy to forge).
It also does not make sense to rely on JavaScript to prevent user interface operations (such as "view source" or "save image"). This is because a client could simply ignore such scripting.
* Web site authors cannot perfectly conceal how their JavaScript operates, because the code is sent to the client, and obfuscated code can be reverse engineered.
* JavaScript form validation only provides convenience for users, not security. If a site verifies that the user agreed to its terms of service, or filters invalid characters out of fields that should only contain numbers, it must do so on the server, not only the client.
* It would be extremely bad practice to embed a password in JavaScript (where it can be extracted by an attacker), then have JavaScript verify a user's password and pass "password_ok=1" back to the server (since the "password_ok=1" response is easy to forge).
It also does not make sense to rely on JavaScript to prevent user interface operations (such as "view source" or "save image"). This is because a client could simply ignore such scripting.
No comments:
Post a Comment