-5

I have a site that does all kinds of ajax requests, manipulates the DOM in various ways, and stores some (limited) user data on the page. All is working well.

However, I'm becoming increasingly concerned that because so much of the site's code is viewable client-side, that I'm vulnerable to a hack. Is there anything I could do to explore this topic? "Hire a hacker?" An online checklist? Things to definitely avoid?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
user111222333
  • 99
  • 1
  • 11
  • 2
    _"becoming increasingly concerned that because so much of the site's code is viewable client-side, that I'm vulnerable"_ ? "vulnerable" to what ? – guest271314 Oct 16 '15 at 01:24
  • 2
    I would be more than happy to take a look at your site and hack it for you :) – Jesse Oct 16 '15 at 01:24
  • @Jesse Not viewable yet, but I'll keep your name in mind. – user111222333 Oct 16 '15 at 01:25
  • @guest271314 "Vulnerable" to somebody accessing my database is my primary cause of concern. jQuery does a lot of `WebMethod` calls. – user111222333 Oct 16 '15 at 01:28
  • 3
    @user111222333 one tip: you must do all types of validation on the server side too, so user input is always what you want it to be. – Buzinas Oct 16 '15 at 01:29
  • @user111222333 _""Vulnerable" to somebody accessing my database is my primary cause of concern"_ Not certain how jQuery could affect `WebMethod` calls ? `$.jajax()` is accessing database , `WebMethod` serves reply . What would be "vulnerable" ? `WebMethod` ? , not sure how using jQuery , `js` could make database "vulnerable" ? Tried "accessing database" at client side from own page ? – guest271314 Oct 16 '15 at 01:33
  • @guest271314 Well that's my question: What would be vulnerable? Can somebody call these functions themselves by forming aJax requests? I'm looking for guidance. – user111222333 Oct 16 '15 at 01:36
  • @user111222333 Tried testing own site ? Not certain how to interpret "vulnerable" ? Can include `html` , `js` `WebMethod` at Question ? Anything could be considered "vulnerable" , without specifying what parameters are ? – guest271314 Oct 16 '15 at 01:37
  • 1
    @user111222333 See http://stackoverflow.com/questions/559600/is-getting-json-data-with-jquery-safe , http://stackoverflow.com/questions/29044209/is-jquerys-get-safe-to-call-on-an-untrusted-url – guest271314 Oct 16 '15 at 01:46
  • 2
    This is analogous to the erroneous notion that open source software is more vulnverable to hacking than proprietary software.because hackers can see the code. Either your code is secure or it's not. Lesson: make your code secure regardless of whether or not people can see how it's implemented. – Kirk Woll Oct 16 '15 at 02:09

1 Answers1

2

Provided you design your website appropriately, using Ajax in and of itself does not make your website vulnerable to javascript injection. The following guidelines apply both to ajax and non-ajax architectures.

  1. You should ensure that the ajax calls that you make to the server pass only the parameters necessary to use to return the appropriate result. Your application logic (SQL queries, configurations that could be used to infer what you're doing on the server side, secret keys, etc.) should still live on the server.
  2. You should sanitize any data passed to any of your services to ensure it is in the kind of data you expect before you allow the server to perform any action.
  3. If you require access control, before you handle a request, ensure that the person is who they say they are. One way of doing this is by returning a unique access token to a user when they initially provide their credentials. They must then make all subsequent requests with that access token. See OAuth 2.0 for an example of a similar strategy.
  4. You should ensure that all sensitive data that you persist at rest (in a database, filesystem, etc.) is encrypted. You should try to limit the time that you store sensitive data in your application memory.
  5. If your website handles sensitive data, ensure you are making all requests over SSL (https). This ensures that it is encrypted while it is making its way from the client to server and vice versa.
  6. You can obfuscate (often comes along with a minifier) your javascript before you vend it to a client. This makes it more difficult for a hacker to try to ascertain your logic. Any smart / dedicated hacker can probably still understand your logic, but it can make your website a slightly more difficult target.
Master_Yoda
  • 1,092
  • 2
  • 10
  • 18
  • 2
    Minifying code does nothing for security. It takes seconds to google and use a deminifier. – Pikamander2 Oct 16 '15 at 02:06
  • @Pikamander2 - I agree, hence the second part of my statement. You'll still most likely need to wade through a mess of badly named variables to understand the code. Deminifiers can only do so much. See here: http://stackoverflow.com/questions/1387810/is-there-such-a-thing-as-a-javascript-deminifier-deobfuscator – Master_Yoda Oct 16 '15 at 02:12
  • I should have been more clear that I meant obfuscating rather than simply minifying. Editing. – Master_Yoda Oct 16 '15 at 02:14
  • @JK - People often don't know what the right questions are. I also disagree with the sentiment. if you answer them, maybe the next questions they ask will be better. – Master_Yoda Oct 16 '15 at 02:24
  • The answer was pretty much good. Why this has a down vote? strange, – brainless coder Oct 16 '15 at 03:33
  • That last part for me is the big one. These are the strategies I need, absolutely. I'm concerned about all of my logic being out there. If there are holes, they'll be easy to find. – user111222333 Oct 16 '15 at 05:14
  • 3
    @user111222333 be aware, as yoda alluded to, that last one, while it sounds like exactly what you are looking for, provided VERY little to no actual security. If you implement that method without handling the others properly, you will certainly be at risk. Just s heads up – Wesley Smith Oct 16 '15 at 13:16