0

I'm trying to verify some some code that I wrote is secure and I want to make sure the steps I took to prevent "hacking" (changing JS variables) are working. I've heard changing javascript variables from the client side is possible, I just never learned how to do it.

I'm using a knockout.js table. Items can be added from my database. When a user submits the form I send the data to a PHP page which then checks all the inputs to make sure they're valid and unchanged from the constants stored in my database. If they haven't been changed, the data is then submitted into the database.

I just want to try it out myself. How can I use chrome developer or firefox to try to change javascript variables?

user1443519
  • 591
  • 1
  • 12
  • 26

1 Answers1

2

Open the developer tools with F12. Click the console tab. From there you can access everything in the global (Window) scope. Chrome will give you code completion so you can explore objects. You can set values of properties and call methods of anything in scope just by typing JS code.

For example open the console on this page and type StackExchange. and Chrome will show you that JS object and all its the properties and methods.

Basically to hack your app somebody would watch the HTTP requests your app sends to the server and then reconstruct them with their own values. They could probably do that with the JS console, or they could use some other tool like curl or Fiddler.

Kevin Collins
  • 1,453
  • 1
  • 10
  • 16
  • I tried it here on stackoverflow and was able to access StackExchange, but I can't seem to access any of the variables from my page. Does knockout.js change the names somehow, or is there another way I have to access them? I typed a few letters into console and searched through the auto-complete list, none of my variables were in there. – user1443519 Apr 17 '13 at 01:37
  • Maybe because they're in a closure and not accessible through the global scope. Can you post some of the code or put it in jsFiddle? – Kevin Collins Apr 17 '13 at 01:41
  • I found [this](http://robertnyman.com/2008/10/09/explaining-javascript-scope-and-closures/) post on closures. Is it even possible to modify them if they are in a closure? – user1443519 Apr 17 '13 at 01:47
  • It's a way of accessing variables within a function after leaving the scope of the code that declares the function. http://stackoverflow.com/questions/111102/how-do-javascript-closures-work – Kevin Collins Apr 17 '13 at 01:51
  • 1
    It's possible if you set a breakpoint within the constructor. At that time, those variables are available in the console. You could then use the console to save a reference to the variable in the global scope. – Michael Best Apr 17 '13 at 02:09
  • Thanks guys, I think I figured it out. – user1443519 Apr 17 '13 at 04:00