1

I was wondering is there a way to check if a line of JavaScript code was ran in the browser that could cause an issue for the user if they left their pc and someone wanted to run a piece of code say xor.decode(password) and then prevent that from happening by killing that request and send a funny message in the console like jajajaja you tried, L bozo!;

Yes I'm trying to encrypt a password on the users end but I am sadly using xor because I can't setup a node server for my project, for now of course later (although this is just a stupid web os security isn't really needed since I hope users aren't signing into stuff on this), I can add that and increase security) at the moment so using a better encryption tool with say npm is out of the equation

Snoot Man
  • 11
  • 6

1 Answers1

1

Fundamentally, not really. If the user has access to the code that their browser runs (which they do), and if they have access to something encoded that the code can decode - then if they know a bit about JavaScript, they can play around with the code and, if they invest enough effort, get it to decode the string.

There are ways you can make it harder for the user to do that, such as:

  • Don't expose any of your script's functions globally. (This prevents the user from using your script's functions from the console, but this can be bypassed by the user taking the source of the script and running it some other way)
  • Obfuscate and minify the code. It could take a good deal of effort to track something down in 10,000 lines of unreadable JavaScript.

But it's impossible to prevent entirely. If you want halfway reasonable security, you need to do the validation (and the storing of the hash/encrypted password) on the backend.

But

xor.decode(password)

For this particular situation, it sounds like something you could do is save the password in a format so that it isn't decryptable. Instead, hash the password - use a one-way algorithm that turns the password into a nonsense sequence of characters that can't be turned back into the original password. This way, the original password can't be recovered by going through the JavaScript. (But, the user can still bypass the check entirely, if it's running only on the client-side...)

You don't need to create your script with NPM in order to use hashing.

CertainPerformance
  • 356,069
  • 52
  • 309
  • 320
  • ok ok cool, I knew it would be possible to not have to use npm I just don't exactly have the best knowledge about how to **hash** and **encrypt** things myself persay, but this has more than let me know that I would have to do more than just `xor.encode` the password to increase security. – Snoot Man Aug 16 '22 at 05:59
  • See [the linked post](https://stackoverflow.com/questions/34952392/simple-way-to-hash-password-client-side-right-before-submitting-form) to see how - it's quite simple – CertainPerformance Aug 16 '22 at 06:00