JavaScript Security

Learn JavaScript security to make your web applications more secure.

Y.E Liang

112 Pages

10142 Reads



PDF Format

2.55 MB

Java Script

Download PDF format

  • Y.E Liang    
  • 112 Pages   
  • 23 Feb 2015
  • Page - 1 read more..

  • Page - 2

    JavaScript Security Learn JavaScript security to make your web applications more secure Y.E Liang BIRMINGHAM - MUMBAI read more..

  • Page - 3

    JavaScript Security Copyright © 2014 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this read more..

  • Page - 4

    Credits Author Y.E Liang Reviewers Jan Borgelin Sergio Viudes Carbonell Moxley Stratton Mihai Vilcu Commissioning Editor Kunal Parikh Acquisition Editor Llewellyn Rozario Content Development Editors Shali Sasidharan Anila Vincent Technical Editor Mrunal M. Chavan Copy Editors Sarang Chari Rashmi Sawant Project Coordinator Neha Bhatnagar Proofreaders Simran Bhogal Maria Gould Ameesha Green Paul Hindle Indexer Tejal read more..

  • Page - 5

    About the Author Y.E Liang is a researcher, author, web developer, and business developer. He has experience in both frontend and backend development, particularly in engineering, user experience using JavaScript/CSS/HTML, and performing social network analysis. He has authored multiple books and research papers. read more..

  • Page - 6

    About the Reviewers Jan Borgelin is a technical geek with over 15 years of professional software development experience. He currently works as the CTO at BA Group Ltd., a consultancy based in Finland. In his daily work with modern web applications, JavaScript security has become an increasingly important topic as more and more business logic is being implemented within read more..

  • Page - 7

    Moxley Stratton was hooked to programming. His interests include open source language theory. In his past jobs, he has written software in JavaScript, CoffeeScript, Java, PHP, Perl, and C. He is currently employed with Househappy as a senior and spending time with his daughter. "Software testing excellence" is the motto that drives Mihai Vilcu. Having gained exposure to top read more..

  • Page - 8 . Did you know that Packt offers eBook versions of every book published, with PDF www.PacktPub. com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details. At , you can also read a collection of free technical articles, sign up for a range read more..

  • Page - 9 read more..

  • Page - 10

    Table of Contents Preface 1 Chapter 1: JavaScript and the Web 7 JavaScript and your HTML/CSS elements 7 jQuery effects 8 Hide/Show 8 Toggle 9 Animation 11 Chaining 12 jQuery Ajax 13 jQuery GET 14 jQuery getJSON 14 jQuery POST 15 JavaScript beyond the client 15 JavaScript on the server side 15 Full-stack JavaScript 15 JavaScript security issues 16 Cross-site request forgery 16 read more..

  • Page - 11

    Table of Contents [ ii ] Persistent cross-site scripting 39 Nonpersistent cross-site scripting 39 Examples of cross-site scripting 40 A simple to-do app using Tornado/Python 40 Coding up 41 Cross-site scripting example 1 45 Cross-site scripting example 2 48 Cross-site scripting example 3 50 Defending against cross-site scripting 51 Do not trust users – parsing input by users read more..

  • Page - 12

    Table of Contents [ iii ] Chapter 6: Classic examples 82 Accessing user history by accessing the local state 85 XSS and CSRF 85 Intercepting events 86 Upgrading to latest versions of web browsers 88 Recognizing real web pages 89 Protecting your site against XSS and CSRF 90 Avoid using pop ups and keep your address bars 91 Summary 91 read more..

  • Page - 13 read more..

  • Page - 14

    Preface Security issues arise from both server and client weaknesses. In this book, you will learn the basics of these security weaknesses, how to recognize them, and how to prevent them. What this book covers Chapter 1, JavaScript and the Web, provides a broad overview of the role of JavaScript in the Web. You will learn that JavaScript, besides giving behavior to web read more..

  • Page - 15

    Preface [ 2 ] What you need for this book You will need the following in order to go through this book successfully: A computer with a modern browser (such as Google Chrome) and stable access to the Internet Python 2.7.X installed; other Python-related libraries, including Python Tornado (, Tornado-cors (, and PyMongo read more..

  • Page - 16

    Preface [ ] .always(function() { alert( "finished" ); }); When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold: var express = require('express'); var bodyParser = require('body-parser'); var app = express(); var session = require('cookie-session'); var csrf = read more..

  • Page - 17

    Preface [ 4 ] Customer support Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase. Downloading the example code from your account at . If you purchased this book elsewhere, you can visit and register Errata Although we have taken every care to read more..

  • Page - 18

    Preface [ 5 ] Questions You can contact us at if you are having a problem with any aspect of the book, and we will do our best to address it. read more..

  • Page - 19 read more..

  • Page - 20

    JavaScript and the Web First of all, welcome to the book! In this chapter, I will give a very high-level overview of JavaScript, such as some of the basic things it can do on the Web both on the client side and on the server side. After that, I will dive into some of the basic examples of JavaScript security issues. The relationship of JavaScript with HTML/CSS Some read more..

  • Page - 21

    JavaScript and the Web [ ] jQuery effects with some basic animation effects before moving on to the topics that may be of concern in security-related topics. You will also need a text editor and a browser in order to test the code. We are using jQuery for this section (and the remainder of the book) for things such as Ajax, animation, and so forth, due to its read more..

  • Page - 22

    Chapter 1 [ 9 ] <body> <button id="show">Show Me</button> <button id="hide">Hide Me</button> <div id="item">I am item</div> </body> </html> Downloading the example code account at for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit read more..

  • Page - 23

    JavaScript and the Web [ 10 ] Feel free to make some changes to your button IDs and item contents. In my case, this is how my code looks: <html> <head> <style> #item { display: block; height:100px; width:100px; border:1px solid black; background-color: yellow } </style> <script read more..

  • Page - 24

    Chapter 1 [ 11 ] Animation jQuery also provides easy methods to perform animations via the animate() method. Copy the previous example (toggle.html) and name it animation.html . In animation.html , make the following changes as shown in the highlighted lines of code: <html> <head> <style> #item { display: block; position: relative; read more..

  • Page - 25

    JavaScript and the Web [ 12 ] #item to display as block with position:relative . Now, the button ID is animate_button . Notice that the animate() function works on the item when the button is clicked. The following is what you will get when you click on Animate Button: Animation The animation looks like the following: Animation part 2 Chaining One of the more read more..

  • Page - 26

    Chapter 1 [ ] background-color: yellow } </style> <script src=" jquery.min.js"></script> <script> $(document).ready(function() { $('#chain_button').click(function() { $("#item").fadeIn('slow').fadeOut('slow').fadeIn('slow'). fadeOut('slow').slideDown('slow').slideUp('slow'); }) read more..

  • Page - 27

    JavaScript and the Web [ 14 ] jQuery GET A jQuery .get() request simply performs a GET request from a server. To perform a .get() request, you will need the following code: var jqxhr = $.get("", function() { alert( "success" ); }) .done(function() { alert( "second success" ); }) .fail(function() { alert( read more..

  • Page - 28

    Chapter 1 [ 15 ] jQuery POST If you want to change the data source of your data or create a new one, you will need to perform a POST operation on your server. In this example, we perform a .post() operation to , and depending on whether our Ajax request is successful or not, we create an alert with different messages. This is done with read more..

  • Page - 29

    JavaScript and the Web [ 16 ] JavaScript security issues JavaScript is becoming ubiquitous and more popular now. However, it has some security issues if not used properly. Two of the most commonly known examples are cross-site request forgery (CSRF upon these two topics as a way to prepare you for the remainder of the book. Cross-site request forgery I decided to start off read more..

  • Page - 30

    Chapter 1 [ 17 ] Cross-site scripting Cross-site scripting (XSS) enables attackers to inject a client-side script (usually JavaScript) into web pages that are used by users. The general idea is that attackers use the known vulnerabilities of web-based applications, servers, plugin systems (such as WordPress), or even third-party JavaScript plugins to serve malicious scripts or read more..

  • Page - 31 read more..

  • Page - 32

    Secure Ajax RESTful APIs Welcome back to the book! In this chapter, we will walk through some code where we build a RESTful server, and write some frontend code on top of it so that we can create a simple to-do list app. The app is extremely simple: add and delete to-do As mentioned in Chapter 1, JavaScript and the Web, JavaScript is used in the server side read more..

  • Page - 33

    Secure Ajax RESTful APIs [ 20 ] /api/todos/:id : POST : This deletes a to-do item The source code for this section can be found at chapter2/node/server.js and its related content as well. Now open up your text editor and server.js . Before you start to code, make sure that you install the required packages mentioned in the previous information box. var express = read more..

  • Page - 34

    Chapter 2 [ 21 ] .post(function(req, res) { var todo = new Todos(); todo.text = req.body.text; todo.details = req.body.details; todo.done = true; { if (err) res.send(err); res.json(todo); }); }) .get(function(req, res) { read more..

  • Page - 35

    Secure Ajax RESTful APIs [ 22 ] What we have here are the major API endpoints to get a list of to-do items, delete a single item, and create a single to-do item. Take note of the highlighted lines though: Frontend code for the to-do list app on top of Express.js todos.html . This is a this book. So, you can refer to chapter2/node/todos.html to see the full read more..

  • Page - 36

    Chapter 2 [ ] <li class="active"><a href="#">Home</a></li> <li><a href="#">About</a></li> <li><a href="#">Contact</a></li> </ul> <h3 class="text-muted">Sample To do Node.js Version</h3> read more..

  • Page - 37

    Secure Ajax RESTful APIs [ 24 ] <script src="// min.js"></script> <script src="// bootstrap.min.js"></script> <script> // javascript code omitted </script> </body> </html> The preceding code is basically read more..

  • Page - 38

    Chapter 2 [ 25 ] }) } function addTodo() { var data = { text: $('#todo_title').val(), details:$('#todo_text').val() } $.post('/api/todos', data, function(result) { var item = todoTemplate(result.text, result.details, result._ id); read more..

  • Page - 39

    Secure Ajax RESTful APIs [ 26 ] These JavaScript functions make use of the basic jQuery functionality that we saw in todoTemplate() : This function simply returns the HTML that builds the appearance and content of a to-do item. toggleForm() : This makes toggle() function to show and hide the form that adds the to-do item. addToDo() : This is the function that adds a new read more..

  • Page - 40

    Chapter 2 [ 27 ] If you are getting this output, great. In my case, I already have some test data, so you can simply add new to-do items. We can do so by simply clicking on the Add To Do button. Have a look at the following screenshot: A sample to-do form Add in some details, as follows: Adding in some details read more..

  • Page - 41

    Secure Ajax RESTful APIs [ ] Finally, click on Submit. Have a look at the following screenshot: New item added You should see that the added to-do form slides up, and a new to-do item is added. You can also delete the to-do items just to make sure that things are working all right. Cross-origin injection external_node.html , and copy the following code in to it: read more..

  • Page - 42

    Chapter 2 [ 29 ] <style> #todo-form { display:none; } </style> <!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries --> <!--[if lt IE 9]> <script src=" html5shiv.js"></script> <script read more..

  • Page - 43

    Secure Ajax RESTful APIs [ ] <input type="text" class="form-control" id="todo_text" placeholder="Details"> </div> <p><button id="addTodo" class="btn btn-lg">Submit</button> </p> </div> read more..

  • Page - 44

    Chapter 2 [ ] htmlString += todoTemplate(todos[i].text, todos[i].details); } $('#todos').html(htmlString); }) } function toggleForm() { $("#toggleTodoForm").click(function() { $("#todo-form").toggle(); }) } read more..

  • Page - 45

    Secure Ajax RESTful APIs [ ] are using http://localhost:8080 for our Node.js server, you can try other ports. external_node.html at http://localhost:8888/external_ node.html . Open external_node.html on another port, and you should see the following: External post form for cross-domain injection You can open the external_node.html another instance of Node.js on another port, or you can read more..

  • Page - 46

    Chapter 2 [ ] Now, click on Submit. There are no animations in this form. Go back to http://localhost:8080/api and refresh it. You should see the to-do item displayed at the bottom of your to-do list, as follows: Item posted from another domain. This is dangerous! Since I have quite a few to-do items, I need to scroll all the way down. But the key thing is to read more..

  • Page - 47

    Secure Ajax RESTful APIs [ ] So, I intend to inject alert("sorry, but you suck") . Once submitted, go back to your to-do list app and refresh it. You should see the message shown in the following screenshot: Injection successful, but this is bad for security Injection success part 2. Bad security. read more..

  • Page - 48

    Chapter 2 [ ] just injected malicious code. We could have injected other stuff, such as links to weird sites and so on, but you get the idea. Guessing the API endpoints You might think that the preceding result cannot be achieved easily; how can For instance, you can make use of Google Chrome Developer Tools and observe endpoints being used. http://localhost:8080/api and read more..

  • Page - 49

    Secure Ajax RESTful APIs [ ] You should notice that we have made a few GET api POST call POST call, todos , followed by /api means that we are posting to /api/todos . the posting to go through; this should be easy as well since we can simply observe First and foremost, we need to prevent cross-origin posting of form values unless we are absolutely sure that read more..

  • Page - 50

    Chapter 2 [ ] Now, restart your server and try to POST from external_node.html . You should most likely receive an error message to the effect that you cannot POST from a different domain. For instance, this is the error you will see from your console if you are using Google Chrome: External post form now fails after we set up our server.js with basic security read more..

  • Page - 51

    Secure Ajax RESTful APIs [ ] your browser again. You will notice that you no longer receive the alert() boxes and that the JavaScript code is printed out as JavaScript now being printed as a string Summary To summarize, we learned how to create a simple RESTful server using Express.js and Node.js. At the same time, we have seen how to effectively inject malicious read more..

  • Page - 52

    Cross-site Scripting Welcome back! In this chapter, we will take a closer look at one of the most common JavaScript security attacks: cross-site scripting. What is cross-site scripting? Cross-site scripting is a type of attack where the attacker injects code (basically, things such as client-side scripting, which in our case is JavaScript) into the remote server. If you remember, read more..

  • Page - 53

    Cross-site Scripting [ 40 ] For the purposes of this chapter, the exact terminologies of persistent versus nonpersistent cross-site scripting does not matter that much, because both work in a somewhat similar manner in real-world situations. What we will do is provide a series of examples for you to get the hang of the various JavaScript security issues. Examples of cross-site read more..

  • Page - 54

    Chapter 3 [ 41 ] Coding up In this section, we will write some code that duplicates what our Express.js/Node. js backend did in the previous chapter. In this chapter, we are going to use Python ( and the Tornado web framework (http://www. ). You will need to make sure that you have Python and the Tornado web framework read more..

  • Page - 55

    Cross-site Scripting [ 42 ] In the preceding code, we 8080 for the port at which this server will run. Application class, which is discussed as follows: class Application(tornado.web.Application): def __init__(self): handlers = [ (r"/api/todos", Todos), (r"/todo", TodoApp) ] read more..

  • Page - 56

    Chapter 3 [ ] else: todos = Todos.find() result = [] data = {} for todo in todos: todo["_id"] = str(todo['_id']) result.append(todo) data['todos'] = result read more..

  • Page - 57

    Cross-site Scripting [ 44 ] Now, we need to code the todos.html this in the previous chapter. You can copy-and-paste the code or refer to the source code for this chapter. Similarly, the custom.css and external.html same as Chapter 2, Secure Ajax RESTful APIs. You can now start the app by issuing the following command on your terminal: python Once the app has read more..

  • Page - 58

    Chapter 3 [ 45 ] When you click on the Submit button, you will see something similar to the following screenshot: A to-do item successfully added You should see the new to-do item showing on the screen after clicking on Submit. cross-site scripting. Cross-site scripting example 1 cross-site scripting example: 1. Open external_node.html from the previous chapter (Chapter 2, read more..

  • Page - 59

    Cross-site Scripting [ 46 ] 2. Click on Submit. Now, go back to your app written in this chapter at http://localhost:8080/todo and refresh the browser. You should see the text being injected in to the web page, as follows: A to-do item added from somewhere else 3. a to-do item that contains a JavaScript function, as follows: Posting JavaScript functions read more..

  • Page - 60

    Chapter 3 [ 47 ] As usual, click on Submit and refresh the app at http://localhost:8080/ todo Hijacked part 1 The second hijacked part looks like this: Hijacked part 2 So once again, we are hijacked! read more..

  • Page - 61

    Cross-site Scripting [ ] Cross-site scripting example 2 Now we can try to trick end users into clicking through a malicious link. Take an instance where we enter the following line on http://localhost:8080/todo : <a href=# onclick="document.location=' php'">Malicious Link 1</a> You can also enter <a href=# onclick="document.location='http://a- read more..

  • Page - 62

    Chapter 3 [ 49 ] Now, imagine that these links are malicious and are public to other users. Now, you link. This is because the to-do item that we entered contains malicious JavaScript that redirects a user to a website. You can perform Inspect Element, as follows: You can perform this action by right-clicking on your browser window The resulting HTML page that our input read more..

  • Page - 63

    Cross-site Scripting [ 50 ] We will cover a basic nonpersistent scripting example in this section. Earlier on in this book, we discussed that nonpersistent cross-site scripting occurs where an unsuspecting user clicks on maliciously crafted URLs. the following into the URL address bar: javascript:alert("hi you!") . code in the following screenshot: Executing JavaScript in the read more..

  • Page - 64

    Chapter 3 [ 51 ] This code snippet assumes that our to-do app is hosted on http://localhost:8080/ todo . Most importantly, notice that we are changing the URL of the links found on the to-do app, pointing to . If an unsuspecting user were to visit our to-do list app via the preceding link, the user will notice that he or she is redirected to read more..

  • Page - 65

    Cross-site Scripting [ 52 ] var snippet = "<div id=\"todo_"+id+"\"" + "<"<h2>"+title+"</ h2>"+"<p>"+body+"</p>"; var delete_button = "<a class='delete_item' href='#' id="+id+">+">delete</a></div><hr>"; snippet += read more..

  • Page - 66

    Chapter 3 [ ] Summary To summarize, we learned that security issues can occur in any programming language; Python, JavaScript, and others can be laced with JavaScript security issues if we are not careful. We also showed that we need to be careful with the user input; escaping them is an important technique to prevent malicious JavaScript being executed. In the next read more..

  • Page - 67 read more..

  • Page - 68

    Cross-site Request Forgery In this chapter, we will cover cross-site forgery. This topic is not exactly new, and believe it or not, we have already encountered this in the previous chapters. In this chapter, we will go deeper into cross-site forgery and learn the various techniques of defending against it. Introducing cross-site request forgery Cross-site request forgery (CSRF) read more..

  • Page - 69

    Cross-site Request Forgery [ 56 ] 3. Next, open external.html found in templates , in another host, say http://localhost:8888 . You can do this by starting the server, which can be done by running python –port=8888 , and then visiting http://loaclhost:8888/todo_external . You will see the following screenshot: Adding a new to-do item 4. Click on Add To Do, and read more..

  • Page - 70

    Chapter 4 [ 57 ] 5. Next, click on Submit. Going back to your to-do list app at http://localhost:8000/todo and refreshing it, you will see the new to-do item added to the database, as shown in the following screenshot: To-do item is added from an external app; this is dangerous! 6. As we saw in the previous chapter, to attack the to-do list app, all we need read more..

  • Page - 71

    Cross-site Request Forgery [ ] 7. Now, click on Submit. Then, go back to your to-do app at http://localhost:8000/todo , and you will see two subsequent alerts, as shown in the following screenshot: Successfully injected JavaScript part 1 8. instance where CSRF happens: Successfully injected JavaScript part 2 Take note that this can happen to the other backend written in other read more..

  • Page - 72

    Chapter 4 [ 59 ] This time around, the server is running at http://localhost:8080 , so remember to change the $.post() endpoint to http://localhost:8080 instead of http://localhost:8000 in external.html , as shown in the following code: function addTodo() { var data = { text: $('#todo_title').val(), details:$('#todo_text').val() read more..

  • Page - 73

    Cross-site Request Forgery [ 60 ] 10. As usual, submit the item. Go to http://localhost:8080/api/ and refresh; Successfully injected JavaScript part 1 The second alert is as follows: Successfully injected JavaScript part 1 Now that we have seen what can happen to our app if we suffered a CSRF attack, Basically, such attacks can happen when our API endpoints (or URLs accepting read more..

  • Page - 74

    Chapter 4 [ 61 ] If you are using modern frameworks or packages, the good news is that you can easily protect against such attacks by turning on or making use of CSRF protection. For example, for , you can turn on xsrf_cookie by setting it to True , as shown in the following code: class Application(tornado.web.Application): def __init__(self): read more..

  • Page - 75

    Cross-site Request Forgery [ 62 ] Now that both backends are equipped with CSRF protection, you can try to make the same post from external.html . You will not be able to make any post from external.html Network. You will see the following: POST forbidden On the terminal, you will see a 403 error from our Python server, which is shown in the following screenshot: POST read more..

  • Page - 76

    Chapter 4 [ ] Other forms of protection Using CSRF tokens may be a convenient way to protect your app from CSRF attacks, but it can be a hassle at times. As mentioned in the previous section, what about growing so quickly that you want to accelerate that growth by creating a Graph API of your own. In this section, we will go quickly over the techniques for read more..

  • Page - 77

    Cross-site Request Forgery [ 64 ] On the server end, all you need to do is look for the application ID and secret key; if it is not present, simply reject the request. Have a look at the following screenshot: The same thing with Facebook; Facebook requires you to sign up, and it assigns app ID and app secret Checking the Origin header Simply put, you want to check read more..

  • Page - 78

    Chapter 4 [ 65 ] Limiting the lifetime of the token Assuming that you are generating your own tokens, you may also want to limit the lifetime of the token, for instance, making the token valid for only a certain time period if the user is logged in to your site. Similarly, your site can make this a requirement in order for the requests to be made; if the token read more..

  • Page - 79 read more..

  • Page - 80

    Misplaced Trust in the Client Misplaced trust in the client by itself is a very general and broad topic. However, believe it or not, we already covered some aspects of this topic in the previous chapters. Misplaced trust in the client generally means that if we, as developers, are overly trusting, especially in terms of how our JavaScript will run in the client or if read more..

  • Page - 81

    Misplaced Trust in the Client [ ] What we are going to code in this section is a simple user creation form, which sends the values to the backend/server side. On the client side, we are going to use JavaScript to prevent users from creating usernames with the a character and passwords containing the s character. This is typical of many forms we see: we may want read more..

  • Page - 82

    Chapter 5 [ 69 ] class Application(tornado.web.Application): def __init__(self): handlers = [ (r"/", FormHandler) ] settings = dict( blog_title=u"Mistrust", template_path=os.path.join(os.path.dirname(__file__), read more..

  • Page - 83

    Misplaced Trust in the Client [ 70 ] The templates templates/ folder and name it mistrust.html . As usual, we start with a basic Bootstrap 3 template, which is as follows: <!DOCTYPE html> <html lang="en"> <head> <title>Mistrust Example</title> <!-- Bootstrap core CSS --> <link href="// read more..

  • Page - 84

    Chapter 5 [ 71 ] <label for="username">User Name </label><span id="username-error"></span> <input type="text" class="form-control" id="username"> </div> <div class="form-group"> read more..

  • Page - 85

    Misplaced Trust in the Client [ 72 ] else { okUsername = false; $('#username-error').html("Not allowed to use character 's' in your password"); } if (okUsername === true && okPassword === true) { $('#send').prop('disabled', false); } read more..

  • Page - 86

    Chapter 5 [ ] // here I will check for "wrong" stuff if (ok_username === true && ok_password === true) { // go ahead and post to ajax backend var username = $("#username").val(); var password = $("#password").val() var request = $.ajax({ read more..

  • Page - 87

    Misplaced Trust in the Client [ 74 ] We have four major functions in this piece of JavaScript code, which are discussed as follows: checkUserNameValues() : This function checks whether the username is valid or not. For our purposes, it must not contain the s character. If it does, we will show an error message at the #username-error element. checkPasswordValues() : read more..

  • Page - 88

    Chapter 5 [ 75 ] Now you can test the app. Enter your username and password. If you have entered something illegal, this is what you will see: Error messages shown if input contains illegal characters Note the error messages beside the User Name and Password On the other hand, should you enter the credentials correctly, you will receive a successful message, as shown in read more..

  • Page - 89

    Misplaced Trust in the Client [ 76 ] To trust or not to trust the code to show that we, as developers, should never trust the client. Manipulating the JavaScript code You need to perform the following steps to manipulate the JavaScript code: 1. Refresh your app, and assuming that you are using Google Chrome, right-click and open the developer tools by selecting Inspect read more..

  • Page - 90

    Chapter 5 [ 77 ] 3. Now, go to Elements, as shown in the following screenshot: The developer tool interface 4. Now, click on Body disabled button. Click on the disabled text and delete it. 5. Next, enter asd and asd for both your username and password, both of which are illegal under our rules. Going back to your developer tool, head straight to console, and read more..

  • Page - 91

    Misplaced Trust in the Client [ ] In my server, I receive both values: asd and asd , as shown in the following screenshot: Even our backend receives a successful POST request Actually, it is not. Remember that the JavaScript code we write is sent to the client developer tools, I side-stepped the basic requirements of not using the s character and the a character for read more..

  • Page - 92

    Chapter 5 [ 79 ] Summary To sum up this chapter, note how easy it is to manipulate the JavaScript code on the client side, even without performing any form of CSRF or XSS technique. The main lesson we should take away from this chapter is that the JavaScript code we write is sent to the browser, which allows it to be manipulated fairly easily. Always read more..

  • Page - 93 read more..

  • Page - 94

    JavaScript Phishing JavaScript phishing is usually associated with online identity theft and privacy intrusion. In this chapter, we will explore how JavaScript can be used to achieve these malicious goals and the various ways to defend against them. What is JavaScript phishing? Simply put, phishing is an attempt to acquire sensitive information, such as usernames, passwords, and credit read more..

  • Page - 95

    JavaScript Phishing [ ] Classic examples There are numerous examples surrounding eBay; some of the most common examples involve the use of sending a fake e-mail and a fake website that looks like eBay, enticing you with certain reasons to make you log in to the fake site so that you willingly submit your login information. Most importantly, creating a phishing site just read more..

  • Page - 96

    Chapter 6 [ ] The next example shows a fake eBay page: Fake eBay website that looks just the same Now can you tell look exactly the same. But sharp-eyed readers will notice something different about the URL (web) address bar: one says , while the page. So, imagine that I am an unscrupulous dude and want your eBay information. I could very read more..

  • Page - 97

    JavaScript Phishing [ ] Another classic example typically involves PayPal. PayPal also has a website dedicated to this topic at what-is-phishing , as shown in the following screenshot: Alright, now that we have other examples. read more..

  • Page - 98

    Chapter 6 [ ] Accessing user history by accessing the local state a better chance of creating a successful phishing scheme. For instance, if the hijacker knows which websites you frequently visit, or worse, which banking services you use, these bits and pieces of information will enhance their chances of creating a successful phishing attempt. to know a bit of CSS, which is read more..

  • Page - 99

    JavaScript Phishing [ ] In case you have forgotten, we covered XSS in Chapter 3, Cross-site Scripting, and CSRF in Chapter 4, Cross-site Request Forgery. Feel free to review them if you need to. For instance, consider a login URL. A piece of malicious JavaScript could change the login URL of the button to a malicious web page (a common strategy seen as part of the read more..

  • Page - 100

    Chapter 6 [ ] <li><a href="#">Contact</a></li> </ul> <h3 class="text-muted">Project name</h3> </div> <div class="jumbotron"> <form role="form"> <div class="form-group"> read more..

  • Page - 101

    JavaScript Phishing [ ] To see why, open intercept.html in your browser. You should see the following output: A simple form with a script listening for a global submit event Now, try to input some values, as I did in the preceding screenshot. Now open your console and check the output as you click on Submit. The output will look similar to the following screenshot: read more..

  • Page - 102

    Chapter 6 [ ] Some of the more notable ones include the removal of support to access a window.history $("a:visited") . Recognizing real web pages From the aforementioned types of phishing, you might have noticed that one common strategy used by phishing sites is the use of fake websites. Should you recognize a fake website, you can avoid the chances of being phished. read more..

  • Page - 103

    JavaScript Phishing [ 90 ] PayPal also has a comprehensive website going through the ins and outs of phishing, with regard to how to spot them and more, at the following link: canyouspotphishing . Have a look at the following screenshot: Real and authentic PayPal website Protecting your site against XSS and CSRF By protecting your read more..

  • Page - 104

    Chapter 6 [ 91 ] Avoid using pop ups and keep your address bars You can design your website so that it avoids the use of pop ups and keeps your address bars. By not using pop ups, you reduce a possible imitation technique that can be used to perform phishing. An alternative to using pop ups would be to use certain techniques, such as the modal dialog read more..

  • Page - 105 read more..

  • Page - 106

    Index A addToDo() function 26 Ajax 13 alert() function 39 animate() method 11 app ID creating 63, 64 app secret creating 63, 64 Asynchronous JavaScript and XML. See Ajax attacks preventing 36-38 autoescape function 52 Bootstrap URL 91 C chaining 12, 13 checkPasswordValues() function 74 checkUserNameValues() function 74 cookie-session URL 36 cross-site request read more..

  • Page - 107

    [ 94 ] Google Chrome URL 88 H hide() function 8 HTML/CSS JavaScript, using with 7 htmlentities() function URL 37 J JavaScript functionalities 7 on server side 15 using, with HTML/CSS 7 JavaScript phishing, examples about 81 classic examples 82-84 CSRF 85, 86 events, intercepting 86-88 user history access, by accessing local state 85 XSS 85, 86 JavaScript read more..

  • Page - 108

    [ 95 ] R RESTful server API endpoints, guessing 35, 36 building 19 building, Express.js used 19-22 building, Node.js used 19-22 cross-origin injection 28-33 frontend code, to-do app 22-28 JavaScript code, injecting via external form 33-35 S URL 37 show() function 8 slideDown() function 13 slideUp() function 13 submitForm() function 74 T to-do app, coding read more..

  • Page - 109 read more..

  • Page - 110

    Thank you for buying JavaScript Security About Packt Publishing Mastering phpMyAdmin for Effective MySQL Management" in April 2004 and subsequently continued to specialize in publishing Our books and publications share the experiences of your fellow IT professionals in adapting seen in the past. Our unique business model allows us to bring you more focused information, Packt is read more..

  • Page - 111

    Object-Oriented JavaScript Second Edition ISBN: 978-1-84969-312-7 Paperback: 382 pages Learn everything you need to know about OOJS in this comprehensive guide 1. Think in JavaScript. 2. Make object-oriented programming accessible and understandable to web developers. 3. Apply design patterns to solve JavaScript coding problems. 4. Learn coding patterns that read more..

  • Page - 112

    Learning JavaScriptMVC ISBN: 978-1-78216-020-5 Paperback: 124 pages Learn to build well-structured JavaScript web applications using JavaScriptMVC 1. Install JavaScriptMVC in three different ways, including installing using Vagrant and Chef. 2. Document your JavaScript codebase and generate searchable API documentation. 3. Test your codebase and application as well as read more..

Write Your Review