0

Is there any way to verify that the javascript file as loaded (and potentially altered) by the client has not been tampered with by a malicious user?

I'm thinking of something like this:

1) Computing a checksum and sending this for the server for verification

2) Sending the file as it is in browser memory back to the server for comparison/checksumming.

Is anything like this possible? How can you verify the integrity of the executed javascript given a known-good copy on the server?

user13955
  • 860
  • 2
  • 9
  • 25
  • 2
    When would you do this check in the timeline of a page being used? What would be the benefit and requirement? I imagine you would find it easier to implement actual validation on the server when API calls are made for the user to perform actions. That and not send sensitive data like passwords etc to be held on the client. – ste2425 Apr 07 '16 at 13:56
  • Possible duplicate of [Is there a way to stop end-user tampering with JavaScript game code in my page?](http://stackoverflow.com/questions/22208349/is-there-a-way-to-stop-end-user-tampering-with-javascript-game-code-in-my-page) – JJJ Apr 07 '16 at 13:58
  • You can write objects with integrity. Mostly by not using the `this` keyword. – evolutionxbox Apr 07 '16 at 14:00

2 Answers2

3

tl;dr No

As a malicious use can easily tamper with the data getting sent to the server there's no way of securely verifying that the Javascript has not been altered. Even if you did hashsum calculations there's no way of making sure that the user is not modifying that hashsum before sending it to the server.

You simply have to find other means to make your solution secured. Usually this mean that you've to run your business logic on the backend rather than on the client.

Emil Oberg
  • 4,006
  • 18
  • 30
2

I don't think there is a good solution for this, simply because even your checks to the server could be manipulated client side, I could easily change the checksum to the original one and send that one to your server.

Keep the validation on the server, never store or use key variables / data in the browser. You should use JavaScript to process the received data and interact in the UI. The only thing people could do is change the values shown to the eye.

Huso
  • 1,501
  • 9
  • 14