3

Just a stupid question. I know it's not possible but I'm just asking a confirmation simply out of paranoia.

It's not possible to edit the source of a Web page and somehow reload that edited script in the browser, correct?

Otherwise, anyone could just put whatever they wanted into any page's source and reload their edited source to do whatever they liked, which would render the whole World Wide Web vulnerable.

Water Cooler v2
  • 32,724
  • 54
  • 166
  • 336
  • It probably could be done using client-side tools, like a browser extension. But this wouldn't affect any other loaders of the webpage, obviously, because they're connecting to the source server, not to the odd computer's saved cache. – CertainPerformance Jan 12 '19 at 08:16
  • Well It is possible with some tricks, there are several plugins for major browsers that allows users to inject and / or edit the source files. Beside that there is also an "Proxy" that is usually used to debug/develop web apps which can also be used to edit in real time html source received by the server. – Goran.it Jan 12 '19 at 08:17
  • @Goran.it: You're talking about Developer Tools / Firebug sort of plug-ins that sure allow us to edit source on the client but that's harmless, right? And of the "proxies" you're probably referring to Fiddler and Wireshark (and of those ilk) proxies. But sure, you can't launch a man-in-the-middle attack if the communication is on SSL/TLS/HTTPS, right? – Water Cooler v2 Jan 12 '19 at 08:20
  • @WaterCoolerv2 It wouldn't be interceptable over the wire, but if the client's machine (browser) was compromised, so is the data and all communication – CertainPerformance Jan 12 '19 at 08:22
  • @CertainPerformance Thanks. Assuming that the browser isn't compromised, there's no way an attacker could inject a script (XSS) into a local copy of the source of a Web page and post it back to the server, right? Even on an unencrypted HTTP connection, right? If the server properly validated XSS and rejected all markup? – Water Cooler v2 Jan 12 '19 at 08:24
  • `and post it back to the server, right` you have moved the goalposts on your question now. But the answer here, depends if the server is secure. – Keith Jan 12 '19 at 08:57
  • @Keith: Assuming the server is secure in that it implements proper request validation to reject all HTML where it is not allowed, and encodes HTML where it is allowed, there is no way an attacker can post back to the page a modified version of the script he downloaded from the server? – Water Cooler v2 Jan 12 '19 at 09:03

2 Answers2

2

Yes and no.

Yes, you can edit the source code of a web page directly in the browser using developer tools and the changes will be visible, but only to you, as the changes are made to the files downloaded by your browser.

No, this feature of the browser is not a security risk because the changes are not sent back to the server.

David Mansaray
  • 21
  • 1
0

You can potentially insert breakpoints potentially and inject script hoping it works. As noted in this post's answer from @sjacob : Editing in the Chrome debugger

systemaddict
  • 363
  • 2
  • 13