Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can someone edit javascript file offline to run malicious code?

I am worried about something related to javascript files of my website, I am not sure if this is doable.

Js files will be downloaded when someone visits a website, what if someone edited the downloaded js script and inserted his own code, then refreshed the website. In the new refresh the website will read the edited Js file and will run the malicious code. The malicious code might be used to run some code at the server in normal ways.

Example:

A user is only allowed to post an article in his page:

HTML

Article form will only show for the user in his page.

<?php
if( $user->id == $page->userID )
{
?>    
<form>
<h1>Add new article:</h1><br />
<textarea name="articleText" cols="65" rows="3"></textarea>
<input class="SubmitArticle" id="<?php echo $userPage->id; ?>" name="SubmitArticle" type="button" value="Submit article" />
</form>
<?php
}
?>

Javascript

$(".SubmitArticle").click( function(e){
    var targetPage = $(this).attr('id');
    var thisForm = $(this).parent();
    var postData = thisForm.serialize() + "&targetPage=" + targetPage;

    $.post(document.location, postData, function(data) {
        $('#mainDiv').html(data);
    });
});

PHP

if( isset($_POST["SubmitArticle"]) )
{
    $pageID = $_POST["targetPage"];
    $text = $_POST["articleText"];

    PublishArticle( $pageID , $text );
}

Malicious Code:

Code inserted in JS file to write article on other users pages (which is not allowed), the attacker reads page id from html element using view page source (lets say page_id=12):

postData = "SubmitArticle=1&targetPage=12&articleText='Muwhahahah'";
$.post(document.location, postData, function(data) {
});

What is the solution if this is possible?

like image 962
DeepBlue Avatar asked Jan 21 '14 08:01

DeepBlue


2 Answers

I think you have some misunderstanding on how a web-server works.

From the client point of view everything the server sends to the client is readonly.

Imagine you have downloaded a zip file from the internet. You then modify it and save it. The save process will happen on your hard-drive and not on the server. When you edit your local file (in your example the javascript file) it won't be edited on the server, just on your local PC.

Therefor you are free to do / edit your local files like you want. Unless you somehow upload it to the server (FTP for example) it will only be on your local PC.

With this in mind you should always validate the data also on your serverside as a skilled user could edit your javascript to remove data validation and send it to the server.

like image 71
RononDex Avatar answered Sep 19 '22 23:09

RononDex


You are right to be worried, don't trust the client. Ever.

In your example you should validate the user prior to publishing the article, something like:

if( isset($_POST["SubmitArticle"]) ){
    $pageID = $_POST["targetPage"];
    $text = $_POST["articleText"];

    if( $user->id == $page->userID ){
      PublishArticle( $pageID , $text );
    }
}

Don't stop there

In addition, you should not trust that the client will send you valid article text and page id. It could be a SQL Injection, malicious javascript, page breaking html, etc. You need to sanitize your inputs as well.

like image 33
tankerjoe Avatar answered Sep 21 '22 23:09

tankerjoe