I've been receiving unexpected data from my web app. Can a hacker change values in a javascript function?
If my code is:
my_function('new_item',10,20,30,40);
is it possible that the 'new_item' parameter has been tampered with? What can I do to prevent this?
Yes, any user can change any JavaScript that you send to their browser - the word "hacker" is overstated, because even a moderately savvy user is fully capable of pulling apart using Firefox's Firebug, or Chrome/Safari's stock document inspector. This is the reason web developers repeat the axiom:
Never trust user input!
Under no circumstances should you trust anything the user sends. Don't insert anything into the database without escaping it, don't trust the login credential unless the session is verifiable. Anything you trust is a vulnerability, and every vulnerability will one day be exploited.
Don't try to protect your JavaScript, that's impossible. Instead, verify everything the user tries to do: if they request a page they aren't allowed to see, don't serve it to the client even if the JavaScript requests it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With