Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can a hacker inject values in to my jQuery function? [closed]

I've been receiving unexpected data from my web app. Can a hacker change values in a javascript function?

If my code is:

my_function('new_item',10,20,30,40);

is it possible that the 'new_item' parameter has been tampered with? What can I do to prevent this?

like image 904
Erick Engelhardt Avatar asked Aug 25 '12 17:08

Erick Engelhardt


1 Answers

Yes, any user can change any JavaScript that you send to their browser - the word "hacker" is overstated, because even a moderately savvy user is fully capable of pulling apart using Firefox's Firebug, or Chrome/Safari's stock document inspector. This is the reason web developers repeat the axiom:

Never trust user input!

Under no circumstances should you trust anything the user sends. Don't insert anything into the database without escaping it, don't trust the login credential unless the session is verifiable. Anything you trust is a vulnerability, and every vulnerability will one day be exploited.

Don't try to protect your JavaScript, that's impossible. Instead, verify everything the user tries to do: if they request a page they aren't allowed to see, don't serve it to the client even if the JavaScript requests it.

like image 85
Winfield Trail Avatar answered Oct 06 '22 00:10

Winfield Trail