Introduction
Pretty much like any programming language JavaScript security has its own flaws. Exploitation of the same could lead to manipulation of data, modify sessions and steal data. Though it is more in terms of a client server side application it is known to lead to numerous problems on server centric environments.
Problems on Server Centric Environment
Source code vulnerabilities
The source code vulnerabilities could be combined with other as it can lead to a series of Java centric holes. Sadly in such cases if you are using a single script JavaScript basification it would not be able to hide such holes. Since it is not a compiled or an interpreted language, it would make it impossible to prevent application code by potential hackers in this method. Still you may rate it to be a better practice as it would slow down the hackers in their reverse re- engineer methods.
Another issue with the security hole in the source code would be the rampant use of public packages and libraries. Most of the developers would be installing packages for the simplest of tasks and hence it is going to enhance project dependency. This is going to lead to security issues and their impact may lead to far reaching consequences.
When you are monitoring and addressing all potential dependencies it turns out to be labour centric and time consuming task. An auditing tool may help to automate the process and hence the process may be accelerated.
Filtering output
In some of the cases it would make sense to be removing dangerous characters from a data which is received as an input. It is going to provide some form of protection but one should not rely on the same when it comes to the question of data manipulation. Various techniques are there which an attacker may use to evade such a type of filter.
Compromise on session data
The browser script at the client side is that it is going to have all content which is returned by a web application on to a browser. It is going to contain cookies which would exponentially deal with sensitive data that may include user session ID of an user. A common exploit of XSS attack is to dish out the session token on to a user so that they would be able to hijack any session.
Appselling suggests a series of measures where you may prevent such features. It extends support to HTTP on cookies only. Such a move would be preventing client side scripting attacks from accessing any form of sensitive data that is stored on the cookies.
Coming to a local and a session storage data it may be stolen in the same manner. With the aid of a DOM access you may be able to secure the same. It is therefore suggested that to store sensitive data in the form of tokens browser storage is necessary. It is not going to be the case due to various applications of the web architecture.
Leave a Reply