tags:

views:

170

answers:

6

Currently I have developed a site which is used for handle financial transactions. I have seen that some of my customers have done JavaScript injection attacks and have done some transactions which are not possible. As a example I have checked his cash balance before he place the order. But some of them did change that by running the following javascript in the address bar. They have taken the varible name by looking in to page source.

javascript:void(document.accounts.cashBalence.value="10000000")

Since this is critical I want to fixed it quickly. So is there a way to prevent JavaScript injection attacks?

+15  A: 

You can obfuscate or hash variable names and/or values. However,
Don't use JavaScript, do every logic in the server-side instead.

SHiNKiROU
+10k Who could possibly think that leaving critical business logic up to the client's computer without checks on the server is a good idea?
deceze
well for one, don't use javascript on banking sites. one less thing to worry about. no need for an "AJAX" experience.
RPM1984
It is fine to *use* javascript, but only for the UI logic and sanity checking **at the client**. The server should *trust nothing*.
Marc Gravell
@RPM Javascript on banking sites is fine, **as long as it's only used to enhance the interface.**
deceze
Agreed. Some simple DOM manipulation is fine. But i wouldn't be making AJAX calls.
RPM1984
@RPM Making AJAX calls is fine too, **as long as the server checks and double checks the validity of those.**
deceze
I shouldn't have said anything, should i. :)
RPM1984
@RPM Saying something is fine, **as long as you check the validity of what you're saying.** ;o)
deceze
Hahahaha, touche` my friend, touche`. +1 for the comment.
RPM1984
+3  A: 

Javascript runs in the user's browser. You ultimately have no control over it and should not trust it. Any verification you do in the browser is merely for the user's convenience so they can be alerted of problems as early as possible.

The backend code that accepts the order should do the authoritative check of the user's balance.

bemace
A: 

No client-side scripting (including Javascript) is good for verification, It should all be done on the server-side.

It is too unreliable to trust it specially if it is for financial records!!

It should be used for a better "user experience". Form validation while typing or whatever but not this!

Trufa
+4  A: 

I think that good answer would be think before use JavaScript to do some operation.

Or avoid hiring people like You... I apologize for my boldness but this type of thinking/working show that You don't have idea what are You doing.

Vash
+3  A: 

In the end it's not even a problem of Javascript. Your server talks to the outside world using HTTP. It sends data using HTTP and receives data using HTTP. Anybody can request data from it using HTTP and anybody can send data to it using HTTP.

Think about this again:
Anybody can send data to your server through the very simple protocol that is HTTP.

The HTML and Javascript you're sending to people's browsers is just a nice help, an interface, to allow them to easily send data to your server. They could do the same using the curl command on their command line or by telnet'ing into port 80 and talk really low-level to it.

If your server blindly obeys any and all commands sent to it without checking their validity, you have no security whatsoever. Security and validity checks belong on the server, not on the client side interface. Because HTML and Javascript aren't the only interface to your server, nor are they in any way protectable and hence trustworthy.

deceze
A: 

To prevent Javascript injection, you should have a Validation Feature whenever you allow your user to enter something. Try to use libraries that determine Javascript scripts that are entered to the form.

Also when displaying user inputs, you should Escape Texts to display it as is and will not be evaluated by the browser.

Utilize your server, your should place your business logic to the server and not to the client whether using Javascript or not. All data sent to the client are just view and should not process any business logic.

Roy Marco Aruta
He said people manipulated Javascript by entering snippets in the address bar (same as using the Javascript console), your tips won't help there.
deceze