By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,817 Members | 2,152 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,817 IT Pros & Developers. It's quick & easy.

analysing flow of a javascript application

P: n/a
Hi,

My work is putting in a large application that is basically split up
between 30 or so Javascript files. I have some security concerns about
this application.

Basic security concerns is:

1. Possible SQL injection and other forms of injection attacks on URLS
of various server side components javascript accesses.

2. possible client side database access.

3. Incorrect use of http get for operations with possible side effects.

The security problems are probably relatively harmless. Mainly because
the application should be running behind firewall.

However I would like to have an analysis tool that can go over the
javascript code and allow me to see what urls are being called with
what parameters.

Javascript that writes new javascript into page (so I can get all
javascript files of application for analysis)

I know there are various javascript profilers and the like, anything
out there that helps in the analysis of this kind of application?

Sep 8 '06 #1
Share this Question
Share on Google+
3 Replies


P: n/a

pantagruel wrote:
Hi,

My work is putting in a large application that is basically split up
between 30 or so Javascript files. I have some security concerns about
this application.

Basic security concerns is:

1. Possible SQL injection and other forms of injection attacks on URLS
of various server side components javascript accesses.

2. possible client side database access.

3. Incorrect use of http get for operations with possible side effects.

The security problems are probably relatively harmless. Mainly because
the application should be running behind firewall.
There may be things you can do to improve the javascript but there is
nothing realistic you can do to stop the kind of security problems that
come from client requests. You have to do _all_ verification on the
server-side even if you do some before the request with JavaScrpt on
the client-side.

However I would like to have an analysis tool that can go over the
javascript code and allow me to see what urls are being called with
what parameters.
find in a text editor?

Javascript that writes new javascript into page (so I can get all
javascript files of application for analysis)

I know there are various javascript profilers and the like, anything
out there that helps in the analysis of this kind of application?
Sep 8 '06 #2

P: n/a

"pantagruel" <ra*************@gmail.comwrote in message
news:11**********************@e3g2000cwe.googlegro ups.com...
Hi,

My work is putting in a large application that is basically split up
between 30 or so Javascript files. I have some security concerns about
this application.

However I would like to have an analysis tool that can go over the
javascript code and allow me to see what urls are being called with
what parameters.

I know there are various javascript profilers and the like, anything
out there that helps in the analysis of this kind of application?
To do this with a tool, you need something that parses JavaScript
and makes the parsed result available for such analysis.

While it doesn't do what you want out of the box, you could
build such an analysis tool using the DMS Software Reengineering
Toolkit, which does have a JavaScript front end parser.
For more details see
http://www.semanticdesigns.com/Produ...MSToolkit.html
--
Ira Baxter, CTO
www.semanticdesigns.com
Sep 16 '06 #3

P: n/a

<pe**********@gmail.comwrote in message
news:11*********************@p79g2000cwp.googlegro ups.com...
>
pantagruel wrote:
>Hi,

My work is putting in a large application that is basically split up
between 30 or so Javascript files. I have some security concerns about
this application.

Basic security concerns is:

1. Possible SQL injection and other forms of injection attacks on URLS
of various server side components javascript accesses.

2. possible client side database access.

3. Incorrect use of http get for operations with possible side effects.

The security problems are probably relatively harmless. Mainly because
the application should be running behind firewall.

There may be things you can do to improve the javascript but there is
nothing realistic you can do to stop the kind of security problems that
come from client requests. You have to do _all_ verification on the
server-side even if you do some before the request with JavaScrpt on
the client-side.

>However I would like to have an analysis tool that can go over the
javascript code and allow me to see what urls are being called with
what parameters.

find in a text editor?

>Javascript that writes new javascript into page (so I can get all
javascript files of application for analysis)

I know there are various javascript profilers and the like, anything
out there that helps in the analysis of this kind of application?
You cannot trust Javascript to enforce security policies, since it
ultimately runs under control of client.
My guiding philosophy:
Use Javascript and client-side validation to protect the client from
himself.
Use server-side validation code to protect the server from the client.
If that makes for redundant validation, so what!?

---Bruce Wisentaner
Sep 19 '06 #4

This discussion thread is closed

Replies have been disabled for this discussion.