Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Javascript > Security question

Reply
Thread Tools

Security question

 
 
Lucas Kruijswijk
Guest
Posts: n/a
 
      02-06-2007
Hello all,

I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.

Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.

In this way, no need for session.

Is there a security problem with this kind of programming?

The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.

I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.

Or, does someone disagree?

Regards,

Lucas


 
Reply With Quote
 
 
 
 
Dag Sunde
Guest
Posts: n/a
 
      02-06-2007
Lucas Kruijswijk wrote:
> Hello all,
>
> I have a security question. Instead of heaving a session key,
> I was thinking to hold the password of some application in
> a Javascript variable.


Bad idea!
>
> Each time a http (or https) request is send from Javascript,
> I also send the password. The server checks the password
> and sends back the result.
>
> In this way, no need for session.
>
> Is there a security problem with this kind of programming?


YES!

>
> The only thing I could think of, is that in Firefox and firebug
> someone could access the variable to get the password. But
> that is a risk I take.


You don't need Firefox or Firebug. You can read your password in
any browser with one or two clicks with the mouse if you do it
this way.

>
> I am more concerned that some evil website could steal the
> password by some other Javascript. But I could not find
> a way, so, I assume this is rather safe.


Your're wrong!


>
> Or, does someone disagree?
>


Heartily, Yes!

--
Dag.


 
Reply With Quote
 
 
 
 
Benjamin
Guest
Posts: n/a
 
      02-07-2007
On Feb 6, 4:37 pm, "Lucas Kruijswijk" <(E-Mail Removed)>
wrote:
> Hello all,
>
> I have a security question. Instead of heaving a session key,
> I was thinking to hold the password of some application in
> a Javascript variable.
>
> Each time a http (or https) request is send from Javascript,
> I also send the password. The server checks the password
> and sends back the result.

The words password and JavaScript send a chill down my spine. Remember
anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.
>
> In this way, no need for session.
>
> Is there a security problem with this kind of programming?
>
> The only thing I could think of, is that in Firefox and firebug
> someone could access the variable to get the password. But
> that is a risk I take.
>
> I am more concerned that some evil website could steal the
> password by some other Javascript. But I could not find
> a way, so, I assume this is rather safe.
>
> Or, does someone disagree?

Please don't do this!
>
> Regards,
>
> Lucas



 
Reply With Quote
 
Lucas Kruijswijk
Guest
Posts: n/a
 
      02-07-2007
> The words password and JavaScript send a chill down my spine. Remember
> anything you write in JavaScript can be view with a simple click on
> view source. JavaScript is for manipulating DOM creating dynamic
> pages. Security is something always best kept to a computer you know
> (eg. the server) rather than the user's computer you know nothing
> about.

The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.

So, I didn't see real arguments. You can only access it by a Javascript
console.

By the way, it is not for a banking system or something like that

Lucas

>>
>> In this way, no need for session.
>>
>> Is there a security problem with this kind of programming?
>>
>> The only thing I could think of, is that in Firefox and firebug
>> someone could access the variable to get the password. But
>> that is a risk I take.
>>
>> I am more concerned that some evil website could steal the
>> password by some other Javascript. But I could not find
>> a way, so, I assume this is rather safe.
>>
>> Or, does someone disagree?

> Please don't do this!
>>
>> Regards,
>>
>> Lucas

>
>



 
Reply With Quote
 
Dag Sunde
Guest
Posts: n/a
 
      02-07-2007
<inline/>
Lucas Kruijswijk wrote:
>> The words password and JavaScript send a chill down my spine.
>> Remember anything you write in JavaScript can be view with a simple
>> click on view source. JavaScript is for manipulating DOM creating
>> dynamic pages. Security is something always best kept to a computer
>> you know (eg. the server) rather than the user's computer you know
>> nothing about.

> The password is only in a Javascript variable. It is not in the DOM
> it is also not in the source.
>
> So, I didn't see real arguments. You can only access it by a
> Javascript console.


Type the following into the address field of your browser:
(Without the quotes)

"javascript:alert(yourPwdVar);"

where "yourPwdvar" is the variable you're holding the password in.

>
> By the way, it is not for a banking system or something like that
>


Then drop the password...



--
Dag.



 
Reply With Quote
 
Lucas Kruijswijk
Guest
Posts: n/a
 
      02-07-2007
Thanks, I am convinced. I will do something better.

"Dag Sunde" <(E-Mail Removed)> schreef in bericht
news:45ca1c2d$0$24605$(E-Mail Removed)...
> <inline/>
> Lucas Kruijswijk wrote:
>>> The words password and JavaScript send a chill down my spine.
>>> Remember anything you write in JavaScript can be view with a simple
>>> click on view source. JavaScript is for manipulating DOM creating
>>> dynamic pages. Security is something always best kept to a computer
>>> you know (eg. the server) rather than the user's computer you know
>>> nothing about.

>> The password is only in a Javascript variable. It is not in the DOM
>> it is also not in the source.
>>
>> So, I didn't see real arguments. You can only access it by a
>> Javascript console.

>
> Type the following into the address field of your browser:
> (Without the quotes)
>
> "javascript:alert(yourPwdVar);"
>
> where "yourPwdvar" is the variable you're holding the password in.
>
>>
>> By the way, it is not for a banking system or something like that
>>

>
> Then drop the password...
>
>
>
> --
> Dag.
>
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Accessing higher security level from higher security level nderose@gmail.com Cisco 0 07-11-2005 10:20 PM
Going from higher security level interface to lower security interface- HELP!!! - AM Cisco 4 12-28-2004 09:52 PM
IT-Security, Security, e-security COMSOLIT Messmer Computer Support 0 09-05-2003 08:34 AM
How secure is the security from my security form? Aaron Java 1 08-04-2003 06:16 PM
MCSA: Security MCSE: Security question Rick Sears MCSE 0 07-29-2003 08:02 PM



Advertisments