Computer Security - Is Javascript Secure?

06-07-2006, 05:11 PM

Hi Everyone,

I have been asked to build a PHP application that calculates important
financial information based on some user-inputted numbers and that will
not allow the user to continue forward unless a certain percentage
range has been met. To validate the numbers, I am considering using
Javascript as opposed to having the PHP code validate the numbers
because Javascript is faster (it is almost instantaneous because the
validation code is running on the client side and does not have to wait
for a refresh, as would be required for the server-side PHP
validation).

My question is: is Javascript secure? My concern here is that because
the Javascript validation would run on the client's computer, they
could potentially hack it to allow unacceptable financial numbers to be
submitted. Am I just being too paranoid here?

Thanks in advance,

-Karl

dredge

06-07-2006, 05:20 PM

On 7 Jun 2006 09:11:25 -0700, dredge wrote:

> My question is: is Javascript secure? My concern here is that because
> the Javascript validation would run on the client's computer, they
> could potentially hack it to allow unacceptable financial numbers to be
> submitted.

Saw an article on how sql injection was done.
They pulled the web page source to their box, chopped out the code
which tested input, then ran the page localy, injecting sql code to get
database data access.

> Am I just being too paranoid here?

Criminals are getting into cracking as a business.
I would be nervious.
Ask the lawyer how much could be sued for poor security code.

Bit Twister

06-07-2006, 05:48 PM

"dredge" <> writes:

> Hi Everyone,
>
> I have been asked to build a PHP application that calculates important
> financial information based on some user-inputted numbers and that will
> not allow the user to continue forward unless a certain percentage
> range has been met. To validate the numbers, I am considering using
> Javascript as opposed to having the PHP code validate the numbers
> because Javascript is faster (it is almost instantaneous because the
> validation code is running on the client side and does not have to wait
> for a refresh, as would be required for the server-side PHP
> validation).

That would be a huge (albeit common) mistake.

> My question is: is Javascript secure? My concern here is that because
> the Javascript validation would run on the client's computer, they
> could potentially hack it to allow unacceptable financial numbers to be
> submitted. Am I just being too paranoid here?

No, you are paranoid with good cause!

By using a software web proxy (such as paros or spike) or firefox
plugins like tamperdata it is trivially simple to modify form fields
as they submitted to the server, bypassing all javascript client-side
validation.

Nothing will get you around the inconvenient necessity of having to
scrub all form field data on the server side and treat it as
malicious. Before you develop this application, I strongly recommend
you read the OWASP guide to open web application security:
http://www.owasp.org/index.php/OWASP_Guide_Project

Specifically to the issue you're discussing is data validation, which
is #1 on OWASP's top ten security threats to web apps:
http://www.owasp.org/index.php/Unvalidated_Input

Quoting that, "A surprising number of web applications use only
client-side mechanisms to validate input. Client side validation
mechanisms are easily bypassed, leaving the web application without
any protection against malicious parameters."

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H.

06-08-2006, 03:49 PM

I agree entirely with Todd. Client Side Validation is in no way a
substitute for Server-Side. They can be, and are often are, used
together, because - as you said - it's 'nicer' to get instant feedback
on your submission if you missed a decimal point. But you -must-
assume the input is bad after the user submits the form and check it
again.

If you want to get fancy, you could write some type of PHP code inside
a PHP variable, and for the Server-Side check eval() it, and for the
client side Javascript parse the variable replacing the few things that
are neccesary to replace (e.g., stripping $'s) and output the parsed
code as Javascript so you don't have to rewrite the PHP, but be careful
how you're handling input in the code you're going to eval - SQL
injection is bad, but if you let a User pull off PHP injection - you're
sunk. I wouldn't recommend considering this unless your Validation
Code is changing frequently.

utternoncesense@gmail.com

06-07-2006, 05:20 PM	#2
Bit Twister Posts: n/a	Re: Is Javascript Secure? On 7 Jun 2006 09:11:25 -0700, dredge wrote: > My question is: is Javascript secure? My concern here is that because > the Javascript validation would run on the client's computer, they > could potentially hack it to allow unacceptable financial numbers to be > submitted. Saw an article on how sql injection was done. They pulled the web page source to their box, chopped out the code which tested input, then ran the page localy, injecting sql code to get database data access. > Am I just being too paranoid here? Criminals are getting into cracking as a business. I would be nervious. Ask the lawyer how much could be sued for poor security code. Bit Twister

06-07-2006, 05:48 PM	#3
Todd H. Posts: n/a	Re: Is Javascript Secure? "dredge" <> writes: > Hi Everyone, > > I have been asked to build a PHP application that calculates important > financial information based on some user-inputted numbers and that will > not allow the user to continue forward unless a certain percentage > range has been met. To validate the numbers, I am considering using > Javascript as opposed to having the PHP code validate the numbers > because Javascript is faster (it is almost instantaneous because the > validation code is running on the client side and does not have to wait > for a refresh, as would be required for the server-side PHP > validation). That would be a huge (albeit common) mistake. > My question is: is Javascript secure? My concern here is that because > the Javascript validation would run on the client's computer, they > could potentially hack it to allow unacceptable financial numbers to be > submitted. Am I just being too paranoid here? No, you are paranoid with good cause! By using a software web proxy (such as paros or spike) or firefox plugins like tamperdata it is trivially simple to modify form fields as they submitted to the server, bypassing all javascript client-side validation. Nothing will get you around the inconvenient necessity of having to scrub all form field data on the server side and treat it as malicious. Before you develop this application, I strongly recommend you read the OWASP guide to open web application security: http://www.owasp.org/index.php/OWASP_Guide_Project Specifically to the issue you're discussing is data validation, which is #1 on OWASP's top ten security threats to web apps: http://www.owasp.org/index.php/Unvalidated_Input Quoting that, "A surprising number of web applications use only client-side mechanisms to validate input. Client side validation mechanisms are easily bypassed, leaving the web application without any protection against malicious parameters." Best Regards, -- Todd H. http://www.toddh.net/ Todd H.

06-08-2006, 03:49 PM	#4
utternoncesense@gmail.com Posts: n/a	Re: Is Javascript Secure? I agree entirely with Todd. Client Side Validation is in no way a substitute for Server-Side. They can be, and are often are, used together, because - as you said - it's 'nicer' to get instant feedback on your submission if you missed a decimal point. But you -must- assume the input is bad after the user submits the form and check it again. If you want to get fancy, you could write some type of PHP code inside a PHP variable, and for the Server-Side check eval() it, and for the client side Javascript parse the variable replacing the few things that are neccesary to replace (e.g., stripping $'s) and output the parsed code as Javascript so you don't have to rewrite the PHP, but be careful how you're handling input in the code you're going to eval - SQL injection is bad, but if you let a User pull off PHP injection - you're sunk. I wouldn't recommend considering this unless your Validation Code is changing frequently. utternoncesense@gmail.com

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Back button doesn't work when it is a secure page returning to a non secure page	Miss Mary	General Help Related Topics	1	09-21-2007 10:32 AM
problem with javascript	dootam	Software	1	07-10-2007 06:38 AM
How to call C# function in javascript	visj4u	Software	2	04-23-2007 03:24 PM
OT: MCP Secure Newsgroup.	Michael D. Alligood	MCITP	35	01-17-2007 03:40 PM
Kingston DataTraveler Secure Privacy Edition Reviewed @ BIOS	Silverstrand	Front Page News	0	11-29-2006 11:36 AM

06-07-2006, 05:11 PM	#1
	Is Javascript Secure? Hi Everyone, I have been asked to build a PHP application that calculates important financial information based on some user-inputted numbers and that will not allow the user to continue forward unless a certain percentage range has been met. To validate the numbers, I am considering using Javascript as opposed to having the PHP code validate the numbers because Javascript is faster (it is almost instantaneous because the validation code is running on the client side and does not have to wait for a refresh, as would be required for the server-side PHP validation). My question is: is Javascript secure? My concern here is that because the Javascript validation would run on the client's computer, they could potentially hack it to allow unacceptable financial numbers to be submitted. Am I just being too paranoid here? Thanks in advance, -Karl dredge