tags:

views:

107

answers:

5
+3  Q: 

Could browser javascript harm my backend server?

Hi,

I'm coding an application where I want to let the user learn javascript in this way:

  1. The user write javascript code on the browser like in an IDE.
  2. The user saves it and the code will be saved as a string in my backend No-SQL database (MongoDB/CouchDB).
  3. The user opens the application some days later and I pass that string to the web browser where the code will be executed with eval().

There will be only JSON data transferred between backend server and web browser. The server won't do anything on the code string, it will only save it directly into the database.

Could this code possibly do any damage on the server side?

+2  A: 

No harm can come from this if its just stored as a string in the DB.

Its really no different than storing any other string. Its just data at that point.

Jonathan S.  2010-09-29 21:48:52
+2  A: 

anytime you accept input from a user you must check to make sure it doesn't contain things like sql injection or js injection.

So it can be dangerous to your server (sql injection could wipe/output your db) and to your users (js injection could send them to nefarious sites)

hvgotcodes  2010-09-29 21:50:49
I can prevent the SQL-injection with using a No-SQL database like MongoDB. But I guess that could give me JS injection attacks if I use their Javascript driver. Maybe I could prevent JS injections with using the Ruby driver instead?
never_had_a_name  2010-09-29 21:54:42
@ajsie it might be a bit more complicated than that. It seems like you want to allow users to store working js code. Which is fine, until some malicious user embeds an iframe that does to a site that is an attack site. So you are going to need to guard against things like that...
hvgotcodes  2010-09-29 22:05:42
+3  A: 

On the server-side, no. Unless the scripts runs on IE and create multiple files disk. Or make some request to your system inserting billions of new entries...

So you have to take care with requests (flood control), be careful with IE and be careful with SQL injections.

Examples

And the request I'm talking about could be something like:

ajax.post("page_save_js.ext", "code=flood");

Then each time it runs it will insert a new code, flooding the server. StackOverflow controls this flood using captcha after some requests in a short amount of time.

BrunoLM  2010-09-29 21:53:18
@BrunoLM: Great tip! *Noted*
never_had_a_name  2010-09-29 22:09:16
IE has no more power over the server than any other browser, so forget about IE. OTOH, if the server is not protected, you don't need to serve any javascript to be in trouble.
zvonimir  2010-09-30 00:12:08
+2  A: 

Your server code won't run the javascript unless you tell it to somehow, so that won't cause problems. (And of course you should avoid any SQL injection issues.)

However, if you provide sensitive information in the page (hidden or otherwise), or allow javascript to make ajax calls into methods on your servier, those can be security issues.

John Fisher  2010-09-29 21:53:57
I think it will be relevant to allow the user make ajax calls back to the server to retrieve information (in JSON) he/she has stored in the database. Could this really be a security problem if I just give the user the information from database in JSON. I don't execute anything during that route: A clean request -> response transaction like a Restful API, right?
never_had_a_name  2010-09-29 22:03:58
It doesn't let them do anything they couldn't already do with a Javascript debugger. Just make sure you're appropriately paranoid about what the server does with the AJAX requests.
Simon  2010-09-29 22:16:54
@Simon: That may not be true. Once the user's script is in the server's database, that script can be sent to pages other than the ones running on the originating user's computer -- allowing the originating user to run javascript on other people's computers. This is why you need to be careful.
John Fisher  2010-09-30 15:40:19
+2  A: 

Using a nosql database only makes you invulnerable against "SQL injection", but there are very similar QL injection attack vectors. So you still have to escape your data or use data safe APIs (the equivalent of prepared statements in the SQL world).

Some examples of NOSQL-injections are given on http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/ (Search for "NoSQL Doesn’t Mean No SQL Injection" within that page).

For the client side: If possible you should make sure that the java script is only delivered to the user who uploaded it unless the user is trusted. This includes a CSRF check on the login form. Wikipedia failed on this in the past.

nhnb  2010-09-29 22:05:59

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security