Safe to use javascript

Safe to use Javascript?

Always double check data coming from user (one is on client side for decreasing number of requests for performance; and the other is on server side for actual confirmation). Solution 3: You can never rely on any actions or data coming from client side, not only related to jQuery.

Safe to use Javascript?

I’m about to create a huge website which will have a lot of visitors. However I’d like to add effect to this site with jQuery. My only problem is that, I’m afraid that a lot of people will have JS disabled and they’ll not be able to see the content, or it will be corrupted in some way.

Can someone please tell me if it is safe to use Javascript nowdays, or I should afraid of people who don’t have JS enabled?

I would also be interested that how much internet users are using JS enabled Browsers.

Yes, it is safe to use JavaScript. Less then 1% of all users have JavaScript disabled. This is a report from Yahoo from 2010: http://developer.yahoo.com/blogs/ydn/many-users-javascript-disabled-14121.html.

In fact few browser stats do not even represent this metric as the value is irrelevant. Good web design practices should allow your site content to be accessible even if JavaScript is disabled.

Use modernizr. It checks if JavaScript is enabled in someone’s browser and lets you style your content according to it.

Sending Authorization Token Bearer through Javascript, I know that problem is not in java server because if i use postman and send a request with Authorization Bearer Token everything works. – Ronaldo Lanhellas …

Security risk in using jQuery Ajax

This is a question has has been bother me for a while, so I am looking for opinions and solutions to clamp down on the possibility of the app being a security risk.

I use jQuery for lots of things, but mainly I use it for processing jQuery dialog windows. A lot of times there is the need to grab a value from a field on the form, concatenate that information with a .serialize() command and pass it off to jQuery ajax call to head over to PHP files for database interaction.

Here comes my question (finally),

Isn’t it riduclasly easy to ‘guess’ what the url could look like for the PHP processing?
You can open the source in a modern browser and click a link to look at the full JavaScript file containing the ajax call.

I could possibly Minify the JavaScript file for obfuscation, but that’s not a form of security to be relied apon.

I am using PDP for databases access with prepared statements for SQL injection attacks, but if someone took to the time to look, couldn’t they just form a valid url send it off to the database and insert what they want?

I am not talking about hacking the database to steel information, I am more talking about inserting malicious information as though the data was added from the application itself. Think adding something to your shopping cart that is $50 for only $25.

If it just as simple as turning the ajax request from GET to POST and changing my PHP files?

Edit: The person is logged in and properly authenticated.

Just wondering what other people out there do.

You are quite correct, anyone who is slightly tech savvy can identify the public server endpoints for any webapp. They don’t even need to look at the code. They can just use their webkit/firebug to track the request, or a program like Charles which monitors network activity.

That’s why you need authentication and authorization handling in your server side code.

Authentication is typically handled by a username and password; it is the act of verifying a user is who he is.

Authorization can be handled by Roles on the server, and is the check to make sure the user can do what they are trying to do.

Which those two mechanisms in place, even if a user knows a url, they still need to «log-in» and have permission to do what they want to do.

Think about it. If you look at your bank account information online, you can easily identify the requests that load your account info. Without these mechanisms, what is to prevent you from simply changed the account-id you pass to the server to try and get someone else’s account info? With authentication/authorization, the server knows that even if it gets a request to load some data, it can check the user’s details to see if they have permission to get that data, and deny the request.

Even if you switch from GET to POST, it will still be very easy for anyone interested to see (and change) any parameter being passed to your server. But here’s the kicker: even if you’re not using AJAX at all, but plain old forms, it is still extremely easy to see and edit any parameter being passed to your server.

In critical situations, you can never rely entirely on what you receive from your clients.

For instance, if you’re adding something to your shopping cart, pass only the ID of the item, and the quantity, to your server. Do not fetch price details from your client, but from your database. If some one tries to hack you and edits the item ID or quantity being sent, the worst thing that happens is that they end up buying something they didn’t want; entirely their problem. (But for the very same reasons, if it’s a limited offer, you would need to verify that the quantity you receive is not greater than what you allow any one customer to buy, for instance).

So at the end of the day, it’s always you the developer who will have to decide which values you want the user to control, and validate at your server side that you have not recevied any requests that are outside the bounds of what the user ought to be able to do.

You can never rely on any actions or data coming from client side, not only related to jQuery.

You must handle every kind of security concerns on your server side. Always double check data coming from user (one is on client side for decreasing number of requests for performance; and the other is on server side for actual confirmation).

The request type (GET or POST) actually does not matter, it may be simulated easily. After user tries to add a $50 item for $25, you should check your DB and confirm the actual price of item.

You should NEVER write code such way, price is transferred from client separately, cause anybody can send data with price = 0 or 0.01 for any amount of goods/services or whatever.

More general: never trust client data.

Javascript — Get Authorization from HTTP-Request, My problem is that the browser does the authorization automatically, and with jQuery and JavaScript methods you can only set the requestheaders …

Is it safe to use async with external js files?

From what I’ve read, using «async» in references to external js files, such as:

might provide the best performance. However, there also seems to be a potential issue with scripts thus referenced executing in any which order. But for jQuery and jQueryUI (or any jQuery-based js file), you need jQuery to load first, and only thereafter jQueryUI (or fancybox, or goMap, or whatever the case is).

So: Is async a tease, or can it be safely used in such situations (referencing jQuery and its spawn hosted on CDNs)?

You can use async safely with unrelated scripts. But if you need to load them in order (such as your example), you can’t just put async on both of them and hope for the best — you’ll be creating a race condition.

I found this article on various ways to load scripts quite useful, FWIW.

Javascript — JQuery AJAX Header Authorization POST, JQuery AJAX Header Authorization POST. I have to send XML to the server with Authorization header and it MUST be POST. Now I have two options. …

How to form a authorization CURL request in AJAX? [duplicate]

I have the following CURL request requiring a JWT token for accessing a protected route in express.js. This request is working fine.

curl --request GET \ --url http://localhost:3001/api/v1/protected/random-quote \ --header 'Authorization: Bearer eyJ0xxxxQ.NLNOn1caBeGFlPRnsSjLDIKFggMItcm-dl5PKOjlLxs' \ --header 'Content-Type: application/json' 

How do I formulate the corresponding AJAX request?

With the above AJAX request I get the following error:

VM9599 jquery.min.js:3049 GET http://localhost:3001/api/v1/protected/random-quote 401 (Unauthorized) 

Need to pass an object to headers option

Authentication & Authorization with React.js example, Demo Video. This is full React + Node.js Express JWT Authentication & Authorization demo (with form validation, check signup username/email …

Источник

Is JavaScript Safe

With so many major security breaches relating to JavaScript these days, you may have questions. Some people may have the erroneous view that JavaScript itself is a virus. That certainly isn’t true – And the notion that JavaScript is dangerous is only partially correct. JavaScript certainly can be dangerous, but only when users aren’t cautious. Hackers can use it to automatically steal your data without you ever being aware of it. Since JavaScript is so widespread and useful, this can leave you vulnerable to attacks.

Any computer that you or your business has connected to the internet could potentially be at risk. That’s why it pays to be aware of JavaScript and what could make it dangerous.

What is JavaScript? How Does JavaScript Work?

JavaScript is a powerful computer scripting language. Unlike C or C++, it does not need a compiler. The code runs right out of your browser. JavaScript alters the Domain Object Model (DOM) of a website. This is parsed from the HTML and CSS and creates the website. Once the website is created in your browser, JavaScript then acts on the DOM once CSS and HTML finish loading. Because of this structure, it can present many opportunities to attack users.

However, simply disabling JavaScript isn’t always the best solution. This removes some site security and usability features. Beyond this, some exploits can run whether JavaScript is enabled or not. So how do hackers use JavaScript? Here are some common attacks.

Keylogging with JavaScript

In 2012, researchers for Facebook studied 5 million users in the US and Great Britain. They wanted to find out how often users deleted posts that they started writing. To do this, they ran a small JavaScript function that tracked the text entry fields. While the researchers insisted no keystrokes were recorded, it was clear that this was possible. Imagine website recording keystrokes even if you don’t send anything!

History Tracking

Keylogging is only one angle of JavaScript’s tracking abilities. Using browser cookies, companies and hackers can track you across websites. A popular example is the Facebook “Like” button. The button uses JavaScript to function. When the button loads, the script executes. This allows Facebook to gain information like what website you’re visiting.

Arbitrary Code Execution

This is the big one that terrifies people. Cross-site scripting (XSS) allows hackers and bad actors to inject malicious code into legitimate websites. It used to be common practice for banner ads to contain XSS attacks, installing malware simply for visiting a website. This even happens to major companies. For example, Twitter was once infected with the StalkDaily worm through XSS. More subtle applications persist today. For example, XSS running on a financial website could give hackers sensitive financial data.

How Can You Defend Against JavaScript Attacks? Can I make JavaScript Safe?

It’s a two-party responsibility here. Web developers must use secure practices, and users need to be vigilant. Using an up-to-date browser, certain ad blocking extensions, and security services can go a long way. It is also important to scan for malware regularly and read up on current threats. You should also avoid websites you don’t trust or recognize and disable JavaScript if a website looks suspect.

Sometimes vulnerabilities in certain programs are found that require time to fix. Because JavaScript code can run arbitrary code on your machine, it’s important to know which of your apps use JavaScript libraries that may be compromised. JavaScript isn’t going anywhere, and it does more good than harm. Learn to stay safe on the web, and even JavaScript attacks won’t touch you. If you need advice on ensuring your company is safe, contact Arruda Group.

Источник