0

First of all, all of this might be a newbie stupid question.

I am developing a web application with Laravel but ended up using tons and tons of Jquery/javascript. I tried to think of all the possible security risks as I was developing but the more I research this topic, the more I am concerned about usage of Jquery/javascript. It seems that dynamic content loading using Jquery/javascript is overall a very bad idea...But I don't want to rework everything since that would take weeks of extra developing of what is already developed. A quick example Let's say I have a method attached to my div like so

<div class="img-container" id="{{$file->id}}" onmouseover="showImageButtons({{$file->id}})"></div>

And then a part of Javascript

function showImageButtons(id)
{
  console.log(id);
}

When I open this in browser, I am able to alter the value of parameter sent to javascript through the chrome inspector.

from this

to this

And it actually gets executed, I can see "some malicious code" being printed to console. What if I had an ajax call to server with that parameter? Would it pass? Is there something I don't understand or is this seriously so easy to manipulate?

miken32
  • 42,008
  • 16
  • 111
  • 154
Matrix
  • 437
  • 5
  • 18
  • 3
    Security is not something done on the client side, it's done on the server side. Assume every piece of data you get from the client is malicious. Code accordingly. – miken32 Feb 26 '20 at 19:30
  • Yes; you can never trust anything from the client (regardless of the use of AJAX). – SLaks Feb 26 '20 at 19:30
  • You could encode the `$file->id` so any malicious content in it wouldn't execute (https://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php). This won't stop a user from manipulating the DOM but I presume your concern actually is that PHP variable's value. If a user enters `some malicious code` on their own browser it doesn't really matter to anyone else. – user3783243 Feb 26 '20 at 19:32
  • Another question I had in mind, can a response from server be interrupted and manipulated. For example I call Ajax GET method, in the controller, I return a view, then I place this response as html by using $('#someComponent').html(response). Can that response variable be changed in the middle between server response and when client actually receives it? – Matrix Feb 26 '20 at 20:37

1 Answers1

1

There are two basic aspects you need to consider regarding web security -

  1. The connection between the browser and your server should be secure (i.e. https), that way, assuming you configured your server correctly, no one can intercept the client-server communication and you can share data through AJAX.

  2. On the server side, you should treat information coming from the client as hostile and sanitize it; That is since anyone can send you anything through your webpage, even if you do input validation on the client side since the your javascript code is executed by the client and therefore in complete control of the attacker. While implanting "malicious code" in the webpage alone is not an actual attack, if an attacker gets you to store that malicious code in the server and send it to other clients she can run her javascript on your other clients browsers and that is bad (lookup "cross site scripting / XSS").

Ben Danon
  • 176
  • 1
  • 1
  • 11