Hi,
My work is putting in a large application that is basically split up
between 30 or so Javascript files. I have some security concerns about
this application.
Basic security concerns is:
1. Possible SQL injection and other forms of injection attacks on URLS
of various server side components javascript accesses.
2. possible client side database access.
3. Incorrect use of http get for operations with possible side effects.
The security problems are probably relatively harmless. Mainly because
the application should be running behind firewall.
However I would like to have an analysis tool that can go over the
javascript code and allow me to see what urls are being called with
what parameters.
Javascript that writes new javascript into page (so I can get all
javascript files of application for analysis)
I know there are various javascript profilers and the like, anything
out there that helps in the analysis of this kind of application? 3 1278
pantagruel wrote:
Hi,
My work is putting in a large application that is basically split up
between 30 or so Javascript files. I have some security concerns about
this application.
Basic security concerns is:
1. Possible SQL injection and other forms of injection attacks on URLS
of various server side components javascript accesses.
2. possible client side database access.
3. Incorrect use of http get for operations with possible side effects.
The security problems are probably relatively harmless. Mainly because
the application should be running behind firewall.
There may be things you can do to improve the javascript but there is
nothing realistic you can do to stop the kind of security problems that
come from client requests. You have to do _all_ verification on the
server-side even if you do some before the request with JavaScrpt on
the client-side.
However I would like to have an analysis tool that can go over the
javascript code and allow me to see what urls are being called with
what parameters.
find in a text editor?
Javascript that writes new javascript into page (so I can get all
javascript files of application for analysis)
I know there are various javascript profilers and the like, anything
out there that helps in the analysis of this kind of application?
"pantagruel " <ra************ *@gmail.comwrot e in message
news:11******** **************@ e3g2000cwe.goog legroups.com...
Hi,
My work is putting in a large application that is basically split up
between 30 or so Javascript files. I have some security concerns about
this application.
However I would like to have an analysis tool that can go over the
javascript code and allow me to see what urls are being called with
what parameters.
I know there are various javascript profilers and the like, anything
out there that helps in the analysis of this kind of application?
To do this with a tool, you need something that parses JavaScript
and makes the parsed result available for such analysis.
While it doesn't do what you want out of the box, you could
build such an analysis tool using the DMS Software Reengineering
Toolkit, which does have a JavaScript front end parser.
For more details see http://www.semanticdesigns.com/Produ...MSToolkit.html
--
Ira Baxter, CTO www.semanticdesigns.com
<pe**********@g mail.comwrote in message
news:11******** *************@p 79g2000cwp.goog legroups.com...
>
pantagruel wrote:
>Hi,
My work is putting in a large application that is basically split up between 30 or so Javascript files. I have some security concerns about this application.
Basic security concerns is:
1. Possible SQL injection and other forms of injection attacks on URLS of various server side components javascript accesses.
2. possible client side database access.
3. Incorrect use of http get for operations with possible side effects.
The security problems are probably relatively harmless. Mainly because the application should be running behind firewall.
There may be things you can do to improve the javascript but there is
nothing realistic you can do to stop the kind of security problems that
come from client requests. You have to do _all_ verification on the
server-side even if you do some before the request with JavaScrpt on
the client-side.
>However I would like to have an analysis tool that can go over the javascript code and allow me to see what urls are being called with what parameters.
find in a text editor?
>Javascript that writes new javascript into page (so I can get all javascript files of application for analysis)
I know there are various javascript profilers and the like, anything out there that helps in the analysis of this kind of application?
You cannot trust Javascript to enforce security policies, since it
ultimately runs under control of client.
My guiding philosophy:
Use Javascript and client-side validation to protect the client from
himself.
Use server-side validation code to protect the server from the client.
If that makes for redundant validation, so what!?
---Bruce Wisentaner This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Rennie deGraaf |
last post by:
I'm working on this page
(http://pages.cpsc.ucalgary.ca/~degraaf/test/test.html). In the central
(green-bordered) area, I want a bunch of (red-bordered) blocks each
containing a thumbnail image and some text. The blocks must be of
fixed, equal size. (Obviously, I'll have to limit the amount of text to
fit this size.) The text must be positioned below the image. Within
the central area, I want these blocks to flow like text; ie, for...
|
by: ouioui2000 |
last post by:
Hi,
I try to generate xml flow with javascript in a new windows.
Here is my javascritp code :
<code>
fenetrePopUp =
window.open('','_blank','width=500,height=300,scrollbars=yes,status=yes,resizable=yes');
fenetrePopUp.document.open("application/xml+xsl");
fenetrePopUp.document.write(myCodeXML);
</code>
|
by: Miyra |
last post by:
Hi. I'm working with an app that uses exceptions for control flow.
These are code blocks where exceptions are thrown/caught regularly. A
couple hundred exceptions occur per hour and they're caught close to
the point of origination. I'm trying to decide whether to refactor...
What is the cost of throwing an exception in the CLR - relative to,
say, a conditional statement? Are we taking talking 1+ orders of
magnitude? Is there...
|
by: Alvin Bruney [MVP] |
last post by:
Exceptions must not be used to control program flow. I intend to show that
this statement is flawed.
In some instances, exceptions may be used to control program flow in ways
that can lead to improved code readability and performance.
Consider an application that must eliminate duplicates in a list.
using system.collections;
|
by: c676228 |
last post by:
Hi all,
In traditional asp form, there is an action field in a form, any time the
page is valid, after click the submit button, the next page comes up based on
the value in the action field.
In asp.net, in the sumit_click sub, after validating the all the fields in a
form, do you always use response.redirect or reponse.transfer to go to the
next page, any other ways? what's the exactly difference or which one will be
better?
--
Betty
| |
by: Roman Ziak |
last post by:
I switched to Windows server and logs generated by my ISP are pathetic
comparing to those from Apache. I would like to do logging via PHP and
use the same log for visits and for PHP tracing. That means there can
be plenty of information and lot of file/database access. Now there is
several problems to address:
1. For performance reasons, the log messages should be collected in
array and then flushed into the file with single I/O access...
|
by: kellyonlyone |
last post by:
E-XD++ MFC Library Enterprise Edition V9.80 is released (100% Source
Code)!
("The only Flow/Diagramming Kits that provides full source code of
components for MFC and ActiveX in a single package!")
--------------------------------------------------------------------------------
May 2, 2006
For more information (press only) please contact:
Paul Chi
UCanCode Software, Inc.
Phone: (86) 755-26737501
|
by: Coleen |
last post by:
I guess I didn't make my problem clear enough, or maybe there is no better
way to do this...
I have an ASP.Net (1.0 at the moment but we are upgrading to 2.0 using
VB.net as the codebehind) web application that has about 40 pages. We use a
User control to get info about the user account that is selected on login.
The users have a specific order in which the pages need to flow depending on
what selection is made from the directory.
...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |