Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying JavaScript Security
  • Table Of Contents Toc
JavaScript Security

JavaScript Security

By : Eugene Liang
2 (1)
Buy this Book
close
close
JavaScript Security

JavaScript Security

2 (1)
By: Eugene Liang
Buy this Book

Overview of this book

This book is for JavaScript developers having basic web development knowledge and also for those who want to explore the security issues that arise from the use of JavaScript. Prior knowledge of how JavaScript is used, such as for DOM manipulation or to perform Ajax operations, is assumed.
Table of Contents (8 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Lock Free Chapter
1
1. JavaScript and the Web
chevron up
Icon
1. JavaScript and the Web
Icon
JavaScript and your HTML/CSS elements
Icon
JavaScript beyond the client
Icon
JavaScript security issues
Icon
Summary
2
2. Secure Ajax RESTful APIs
Icon
2. Secure Ajax RESTful APIs
Icon
Building a RESTful server
Icon
Basic defense against similar attacks
Icon
Summary
3
3. Cross-site Scripting
Icon
3. Cross-site Scripting
Icon
What is cross-site scripting?
Icon
Examples of cross-site scripting
Icon
Defending against cross-site scripting
Icon
Summary
4
4. Cross-site Request Forgery
Icon
4. Cross-site Request Forgery
Icon
Introducing cross-site request forgery
Icon
Other examples of CSRF
Icon
Other forms of protection
Icon
Summary
5
5. Misplaced Trust in the Client
Icon
5. Misplaced Trust in the Client
Icon
When trust gets misplaced
Icon
Summary
6
6. JavaScript Phishing
Icon
6. JavaScript Phishing
Icon
What is JavaScript phishing?
Icon
Examples of JavaScript phishing
Icon
Defending against JavaScript phishing
Icon
Summary
7
Index
Icon
Index

JavaScript security issues

JavaScript is becoming ubiquitous and more popular now. However, it has some security issues if not used properly. Two of the most commonly known examples are cross-site request forgery (CSRF) and cross-site scripting. I'll touch very briefly upon these two topics as a way to prepare you for the remainder of the book.

Cross-site request forgery

I decided to start off with this topic as it is generally easier to explain and understand. To put it simply, cross-site request forgery refers to a type of malicious exploitation of a website where unauthorized commands are transmitted from an unknowing user that the website trusts.

The following straightforward example involves Ajax requests: go back to earlier sections where we talked about POST requests. Imagine that your server endpoint does not defend itself against an Ajax request made outside of your domain name, and somehow, malicious POST requests are made. That particular request can somehow be made to alter your database information and more.

You may argue that we can make use of CSRF tokens (a common technique to prevent cross-domain requests and a way to provide greater security to the site) as a security measure, but it is not entirely safe. For instance, the script that is performing the attack could be residing in the website itself; the site could have been hijacked with malicious script in the first place.

In addition, if some of the following conditions are met, CSRF can be achieved:

  • The defending websites do not check the referrer header
  • The attacker will need to:
    • Find a form submission endpoint (that typically has important side effects, such as monetary exchange or exchange of highly personal information)
    • Guess the right values for the form inputs in order to carry out the attack

Cross-site scripting

Cross-site scripting (XSS) enables attackers to inject a client-side script (usually JavaScript) into web pages that are used by users. The general idea is that attackers use the known vulnerabilities of web-based applications, servers, plugin systems (such as WordPress), or even third-party JavaScript plugins to serve malicious scripts or content from the compromised site. The end result is that the compromised site ends up sending content that contains the malicious content/script.

If the content happens to be a piece of malicious JavaScript, then the results can be disastrous: since we know that JavaScript has global access to the web page, such as the DOM, and given the fact that that piece of JavaScript can have access to the cookies issued by the site (thus allowing the attacker to gain access to potentially useful information), that piece of JavaScript can do the following:

  • Make changes on the DOM so that it creates links, malicious content, and more
  • Perform actions on behalf of the user, such as performing web form submissions or Ajax operations straight from the site

If you are new to all this, all you need to remember at this point in time is that such security flaws come from both server-side and client-side weaknesses. We'll be touching upon them in the next chapter.

Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
JavaScript Security
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon