9,735
I've implemented a JavaScript Object that intercepts page submits (postbacks) and then displays a UI prompting the user to confirm(yes)/deny(no)/cancel(close UI/cancel submit) their action.
There may be additional JavaScript methods to execute before displaying the UI and may be additional JavaScript methods to execute upon closing the UI.
I'm thinking about passing these additional JavaScript methods from the server to the JavaScript Object using "properties".
There's a little magic here because I'm not entirely sure how the data (the properties) is passed from my .NET Server code to my JavaScript Object. I'm assuming that there is a JSON Object being used behind the scenes....I'm going to look into this on my own....
I am wondering about the risks of using the eval() method with regards to JSON Objects. I'm quite new to JavaScript and so I'm not entirely sure how to secure my Objects.
The way I see it (assumption about using JSON made):
- Server sends JSON Object to client:
- client populates my JS Object's properties w/data supplied
- JS Object uses eval() method to executed additional JS methods
If the JSON Object were captured and modified during transport, then my JavaScript Object may end up executing code that isn't my own.
Is there some way (a toolkit or other JavaScript library which you would recommend that can check hashes or something) to verify that the JavaScript has been provided by my code?
Is this type of attack easy to do (is it high risk)?
Is there something other than the eval() method that I can use that is safer?
Are there any other risks that I should be aware of?
I know that this is a lot to ask but I'm pretty much looking for any keywords/concepts that I can research before I start implementing this solution. Your thoughts on the topic would be greatly appreciated.
Thanks a lot,
-Frinny
