Javascript Security

No comments

What exactly Javascript’s are?

Javascript is a cross-platform client-side script language. Javascript’s are widely used and convenient to be added for any client-side tasks.

However, if Javascript’s code inspection is not done properly then it could lead to serious security issues.

Hackers are looking for two types of Javascript security vulnerabilities on your website:

  • One is that if they can force your code to throw an uncaught Javascript exception and thus stop the pages which are running.
  • the other one is that if they can inject an external Javascript script file to your page and call your methods from their page.

Debugging Javascript’s issues for anyone is an experience, they know if an uncaught Javascript exception is thrown, the page will stop responding, not only the Javascript part but also most of the server calls, because most of the server calls are initiated by the Javascript code on the page.

Once the page stops responding, the hacker then would be able to do more things through the stopped page. One famous example of what pages under this scenario can do is that in the early days, iOS jailbreaking is done through using safari to load a page with intended broken Javascript code.

On the other hand, the nature of Javascript’s code makes debugging injection easily possible. If the javascript function on the page is independent, any hacker would be able to create their own Javascript file and just call the function they want because there is no encapsulation among the top level functions in Javascript.

If the function called by the hacker happened to do any CRUD on the database, the whole system is exposed to hackers’ attack.

How Javascript’s Can Be Solved?

To the two issues we talked above, we do have methods to solve or avoid them. To avoid the attack through Javascript’s exceptions, the solution is simple: catch or avoid every possible exception.

However, the simple solution might not be that easy to achieve. Javascript has following data types:

  • String, Date, Number, Boolean, Array, Object.
  • It also can have a null value and undefined status.

Be careful to validate the data according to those data types and value types should help a lot. Also, remember to use “===” when you need to do a strict comparison.

The solution to the other problem is more complicated and tricky. Each company in the industry has different solutions, but most of them share the same concept.

The basis of the concept is that every function would be hidden into a module as a property of the module object, which only can be called by a controller, while the controller would be started on document.ready, monitoring and responding to page events, but not possible to be called from outside.

Therefore, the only way to call the method is to have the correct event on the page, then the controller which is listening to the certain event is calling the method inside of the corresponding module. This won’t eliminate all the vulnerabilities but it will improve the security by a lot. Be sure to talk to the architect for the solutions your system should be using.

Years ago when I was working for a top tech company, the architect there had an excellent statement about the security of Javascript: “you should never let outside code control our site!

Are you interested in keeping your skills fresh? Just subscribe to our blog and follow us on and follow us on Facebook, LinkedIn, and Twitter. You can always reach us at Contact Us

AthenaJavascript Security
Read More