how to prevent JS hijacking in public computers

Question

Hi all,

This problem is regarding a JS hijacking scenario, and here it is :

Say Mr. Good has a website called "iamtooinnocent.com" which loads a "x.js" file to perform some particular tasks, and Mr. Bad is an evil cyber cafe owner, who has set a redirect rule in place that whenever any surfer using his cyber cafe visits Good's website then when the "x.js" file will be requested it will simply redirect it to some other evil domain which serves say a different "x.js" file with evil code in it, this way Good's website will never come to know that it has got a different JS file than what it has requested.

I hope I have explained the scenario properly, so my problem is how can this be prevented? Is there really a way to prevent this? Can this be prevented by serving the JS file using HTTPS, though I am not so sure? Can anybody give me some heads up regarding this?

Thanks in advance.

Answer 1

HTTPS is standard for fighting man-in-the-middle attacks like one you've described. It encrypts all traffic using public certificate of your site. So it's not possible to change it. And the certificate itself is verified by third party certificate authorities.

But it can't guarantee 100% security because it's possible to create a local fake certificate authorities available only in cafe.

Answer 2

If the computer owner is against you....you will have a hard time. The browser guarantees certain security rules, but the computer owner can modify it to his evil heart's content and you would be none the wiser...

Answer 3

Is this the sort of cyber cafe where they provide the computers? If so, you just have to trust the owner, because you can't have security on somebody else's machine. If nothing else, they can install a hardware keylogger.

If this is the sort where they provide a wireless connection and you bring your laptop, HTTPS should be a safeguard. If your browser handles certificates and SSL properly, it should be possible to go to a site that has a verified certificate and be safe. If there's any problems in your browser, of course, the cyber cafe owner is in an ideal position to take advantage of it, so you might want to keep an eye on known vulnerabilities.

The best move is not to patronize cyber cafes run by evil owners, but that can be difficult in some parts of the world.

Answer 4

Rule #1 in web security boils down to: NEVER trust the client.

Remember that clients can do just about anything with the data you are sending them, and the data they send YOU:

• modify cookies for subsequent requests
• alter or add/remove other HTTP headers, spoof User Agents
• Specify any combination of data in GET/POST

You should assume any data coming IN from HTTP to your application is a malicious, tained, evil mess, and sanitize accordingly.