if my webserver just serves static pages and my html pages allow users to run any javascript. Can a 'bad' user do any damage to me ?
p.s. There are lots of talk about watching out about XSS and what I am doing is even worse. I am letting the user to inject his/her javascript. what I don't get is what damage can they do ?
Thanks
I can run JavaScript on any page in my browser with Firebug or Chrome inspector. The only problem comes if you're allowing users to run JavaScript in other users' browsers.
No. A bad user cannot do any damage to you.
User A can, however, insert into your page some JavaScript code that causes annoyance or outright damage to user B. User B might then hold you responsible for what happened.
Can the user save the JavaScript and let someone else run it at a later time? That is where the trouble is at.
Since you are only serving static pages, the risk is lower; but there is still a risk. Here are a few things that an attacker can do
An attacker can inject code that rewrites the HTML of your page to whatever he wants. This way, he creates fictitious content that appears to come from you. This could mean listing the price of your products as $0 (or something ridiculously low). Or it could be fake news about your company. Then, he shares the link via facebook/twitter/digg etc, and people start visiting the injected page and believing whatever the attacker wants them to believe.
He could inject anchor tags into your page that links to other sites - for example adult sites. Then, he gets google to index the page with html injection. This way, he artificially boosts the popularity of the adult website because google thinks your site links to adult site.
If you have any admin pages that are served from the same domain, an attacker could use XSS to steal credentials and get to your server.
Those are the few that come to my head; I am sure an attacker could think of other problems.
If a user can inject javascript into your page then it's called cross-site scripting (XSS).
Look at the difference between stored and reflected cross-site scripting. Both can be considered a security hole, but stored XSS has significantly more damage potential. Stored XSS allows an attacker to do an HTTP post of a user's document.cookie, which as a worst case allows the attacker to log in to administrative pages.
XSS may not be of concern to your website due to 'static' content. But websites have a tendency to change and improve over time, and then old bugs which were not exploitable become great attack vectors.
tell me whether the user input is saved and shown back . if then i can run the following code which will crash the browser
window.location = "https://www.google.com";