0

I am implementing an algorithm/heuristic to protect my web application from malicious users. For that I am using JavaScript. The problem if I include the whole algorithm in one code chunk then there is a high possibility that the user may get the idea and breach the security. My idea is to send a piece of the code at a time and based on the activity of the user download and execute the relevant chunk of the code. I do not know if it is possible with JavaScript.

Sam Hanley
  • 4,707
  • 7
  • 35
  • 63
sajid
  • 807
  • 1
  • 9
  • 23
  • Have you tried loading it with multiple ` – Daan Meijer Jan 03 '17 at 14:49
  • Easy, if is not secure don't use JS. – Troyer Jan 03 '17 at 14:49
  • so you append script tags to the page.... I am not sure how that is making it more secure... – epascarello Jan 03 '17 at 14:50
  • @sajid As other suggested , you can append javascript code from an APi response. But this won't make your page more secure. What you need to do is to improve your code where even if I knew your source code it would not impact your security. – Yeikel Jan 03 '17 at 14:53
  • While you could theoretically do this, it has several problems: (1) it will massively slow down the UI, (2) it isn't secure because the user will be able to download the whole file by just interacting with for interface, and (3) remember that when you are executing in the browser, that is NOT your program anymore; it has become the user's for them to modify, emulate or copy. Any part of your program which you wish to ensure integrity (see Credit Card, DB Management, etc.) should be done on the server – bren Jan 03 '17 at 14:53
  • 1
    Since JS is open-sourced, you can't rely on it. Use server side security and do not waste time implementing some over-the-top front-end security. Also when you load scripts part-by-part I can wait for your process to complete, copy-paste full code and hack it later. – Justinas Jan 03 '17 at 14:54
  • @epascarello I am claiming that it definitely going to be secure. I am just speculating. – sajid Jan 03 '17 at 16:29

1 Answers1

2

eval() lets you execute code obtained as a string, e.g. downloaded from the server. It also lets you obscure your code with tricks like escaping and string replacement, which could make your code very hard to de-obfuscate. Malware is known to use these techniques, for one example.

With eval(), care is recommended to avoid some pitfalls, since its use by itself exposes a security hole. Therefore, you should know well what you’re doing. However, in that case you probably wouldn’t be asking such a question. Perhaps you want to step back and ask another question starting with a description of the security hole you’re trying to cover.

Community
  • 1
  • 1
Anton Strogonoff
  • 32,294
  • 8
  • 53
  • 61
  • Why use eval()? when you can just append a script? – epascarello Jan 03 '17 at 16:35
  • OP wants to “execute them with the same script that downloaded it”, which is a bit vague but more looking like eval() job, you can literally download a piece of code and execute it. Plus it seems more versatile for obfuscation (which is rarely perfect but is what OP seems to be wanting) because you can retrieve a completely random-looking string from the server and then manipulate it before evaluation, while a – Anton Strogonoff Jan 04 '17 at 06:39