Why injecting javascript code is a bad idea
I have a web project which is developed by asp.net
In my web project, i have a page called as (MainPage). In MainPage according to query string, the last user can see a survey edit form (www.a.com?entity=survey@op=edit) or a parameter insertion form (www.a.com?entity=parameter&op=add) or etc....
The query string examples above are just examples since i encrypt them and actually the last user see some complex words on url
ex: www.a.com?saşlfas571=sflkmlm11sd&13kjn13=1378183
Moreover, in MainPage i m loading a javascript called as MainPageJs and it shows correct js codes according to query string.
I m loading MainPageJs in MainPage.cshtml
@section scripts
<script type="text/javascript" src="@CustomUrl.CustomAction("MainPageJS", "Home", new entity= entityName, op = opName )"></script>
The below code shows that how MainPageJs works
....
string res = "";
if (queryString == "parameter")
res = "var a = 1;";
if (queryString == "survey")
res = "var a = 2;";
if (queryString == "user")
res = "var a = 3;";
return JavaScript(res.ToString());
Now the thing I wonder is that,
- Does my code style have any security problems?
- Does my web page have any security vulnerability?
- Does this style have a JavaScript code injection vulnerability?
javascript asp.net security code-injection
edited Nov 11 at 1:14
Gabriel Luci
10.2k11324
asked Nov 3 at 8:19
brtb
48041943
add a comment |
I have a web project which is developed by asp.net
In my web project, i have a page called as (MainPage). In MainPage according to query string, the last user can see a survey edit form (www.a.com?entity=survey@op=edit) or a parameter insertion form (www.a.com?entity=parameter&op=add) or etc....
The query string examples above are just examples since i encrypt them and actually the last user see some complex words on url
ex: www.a.com?saşlfas571=sflkmlm11sd&13kjn13=1378183
Moreover, in MainPage i m loading a javascript called as MainPageJs and it shows correct js codes according to query string.
I m loading MainPageJs in MainPage.cshtml
@section scripts
<script type="text/javascript" src="@CustomUrl.CustomAction("MainPageJS", "Home", new entity= entityName, op = opName )"></script>
The below code shows that how MainPageJs works
....
string res = "";
if (queryString == "parameter")
res = "var a = 1;";
if (queryString == "survey")
res = "var a = 2;";
if (queryString == "user")
res = "var a = 3;";
return JavaScript(res.ToString());
Now the thing I wonder is that,
- Does my code style have any security problems?
- Does my web page have any security vulnerability?
- Does this style have a JavaScript code injection vulnerability?
javascript asp.net security code-injection
edited Nov 11 at 1:14
Gabriel Luci
10.2k11324
asked Nov 3 at 8:19
brtb
48041943
2
You might get a better response on codereview.stackexchange.com and/or security.stackexchange.com
– Ian Kemp
Nov 5 at 8:50
If you directly insert values from the query string enter the generated code then you have a severe vulnerability. If you are just writing code like in your sample where you statically determine the generated code then you may be safe but there is a better way to write such code.
– Aluan Haddad
Nov 8 at 19:49
add a comment |
I have a web project which is developed by asp.net
In my web project, i have a page called as (MainPage). In MainPage according to query string, the last user can see a survey edit form (www.a.com?entity=survey@op=edit) or a parameter insertion form (www.a.com?entity=parameter&op=add) or etc....
The query string examples above are just examples since i encrypt them and actually the last user see some complex words on url
ex: www.a.com?saşlfas571=sflkmlm11sd&13kjn13=1378183
Moreover, in MainPage i m loading a javascript called as MainPageJs and it shows correct js codes according to query string.
I m loading MainPageJs in MainPage.cshtml
@section scripts
<script type="text/javascript" src="@CustomUrl.CustomAction("MainPageJS", "Home", new entity= entityName, op = opName )"></script>
The below code shows that how MainPageJs works
....
string res = "";
if (queryString == "parameter")
res = "var a = 1;";
if (queryString == "survey")
res = "var a = 2;";
if (queryString == "user")
res = "var a = 3;";
return JavaScript(res.ToString());
Now the thing I wonder is that,
- Does my code style have any security problems?
- Does my web page have any security vulnerability?
- Does this style have a JavaScript code injection vulnerability?
javascript asp.net security code-injection
edited Nov 11 at 1:14
Gabriel Luci
10.2k11324
asked Nov 3 at 8:19
brtb
48041943
I have a web project which is developed by asp.net
In my web project, i have a page called as (MainPage). In MainPage according to query string, the last user can see a survey edit form (www.a.com?entity=survey@op=edit) or a parameter insertion form (www.a.com?entity=parameter&op=add) or etc....
The query string examples above are just examples since i encrypt them and actually the last user see some complex words on url
ex: www.a.com?saşlfas571=sflkmlm11sd&13kjn13=1378183
Moreover, in MainPage i m loading a javascript called as MainPageJs and it shows correct js codes according to query string.
I m loading MainPageJs in MainPage.cshtml
@section scripts
<script type="text/javascript" src="@CustomUrl.CustomAction("MainPageJS", "Home", new entity= entityName, op = opName )"></script>
The below code shows that how MainPageJs works
....
string res = "";
if (queryString == "parameter")
res = "var a = 1;";
if (queryString == "survey")
res = "var a = 2;";
if (queryString == "user")
res = "var a = 3;";
return JavaScript(res.ToString());
Now the thing I wonder is that,
- Does my code style have any security problems?
- Does my web page have any security vulnerability?
- Does this style have a JavaScript code injection vulnerability?
javascript asp.net security code-injection
javascript asp.net security code-injection
edited Nov 11 at 1:14
Gabriel Luci
10.2k11324
asked Nov 3 at 8:19
brtb
48041943
edited Nov 11 at 1:14
Gabriel Luci
10.2k11324
asked Nov 3 at 8:19
brtb
48041943
edited Nov 11 at 1:14
Gabriel Luci
10.2k11324
edited Nov 11 at 1:14
Gabriel Luci
10.2k11324
edited Nov 11 at 1:14
Gabriel Luci
10.2k11324
10.2k11324
asked Nov 3 at 8:19
brtb
48041943
asked Nov 3 at 8:19
brtb
48041943
asked Nov 3 at 8:19
brtb
48041943
48041943
2
You might get a better response on codereview.stackexchange.com and/or security.stackexchange.com
– Ian Kemp
Nov 5 at 8:50
If you directly insert values from the query string enter the generated code then you have a severe vulnerability. If you are just writing code like in your sample where you statically determine the generated code then you may be safe but there is a better way to write such code.
– Aluan Haddad
Nov 8 at 19:49
add a comment |
2
You might get a better response on codereview.stackexchange.com and/or security.stackexchange.com
– Ian Kemp
Nov 5 at 8:50
If you directly insert values from the query string enter the generated code then you have a severe vulnerability. If you are just writing code like in your sample where you statically determine the generated code then you may be safe but there is a better way to write such code.
– Aluan Haddad
Nov 8 at 19:49
2
2
You might get a better response on codereview.stackexchange.com and/or security.stackexchange.com
– Ian Kemp
Nov 5 at 8:50
You might get a better response on codereview.stackexchange.com and/or security.stackexchange.com
– Ian Kemp
Nov 5 at 8:50
If you directly insert values from the query string enter the generated code then you have a severe vulnerability. If you are just writing code like in your sample where you statically determine the generated code then you may be safe but there is a better way to write such code.
– Aluan Haddad
Nov 8 at 19:49
If you directly insert values from the query string enter the generated code then you have a severe vulnerability. If you are just writing code like in your sample where you statically determine the generated code then you may be safe but there is a better way to write such code.
– Aluan Haddad
Nov 8 at 19:49
add a comment |
3 Answers
3
active
oldest
votes
is my code style has any security problem?
no. there is nothig wrong with dynamic code executed on the client. at least from security point of view (you should still control performance of it)
is my web page has security vulnerability?
no. you can't broke anything executing dynamic code on the client. "dynamic" code is executed in the same sandbox with the same privileges as your common js.
is this style has a javascript code injection vulnerability?
Some people use term "JavaScript Injection Attack" - to name side effects of $( userInput ).insertAfter( .. ); - when user can run some javascript from user's input (if userInput contains <script>...</script>) but it is not related to dynamic JS, it is more about dynamic HTML.
answered Nov 10 at 12:44
Roman Pokrovskij
4,27764978
add a comment |
Does my code style have any security problems?
Does my web page have any security vulnerability?
Does this style have a JavaScript code injection
vulnerability?
It is totally depend on your ASP code implemetation.
From your question, I don't see big security issue. However,
If you are not familiar with vulnerability or security, I would not recommend the code style.
Here are some reasons.
You opened your URL to public.
Even if you encode it, some dodge people will try to hack it. For example, from different URLs, hacker can decode it.
I prefer to hide it and don't give them a chance. Also you can use URL as more readable resource for search engine.If you don't use framework, you might need to implement filter of parameters to prevent Injection attack(SQL, JS). It takes time.
It is hard to maintain the code.
As your code is mixed with ASP and JS, it it getting harder when your code is bigger, especially, when you deal with View like HTML with JS in ASP code.
answered Nov 11 at 11:20
John
531410
add a comment |
If you are encrypting client-side, it is possible for the user to actually see what is being sent to the application before it gets encrypted. There are tools to monitor client-side activity (such as YSlow) and a malicious user with technical expertise could use it to detect possible front-end vulnerabilities. Remember to never trust user input, and allowing an user to pass inject code in your app is never a good choice.
answered Nov 12 at 6:55
Otávio Monteagudo
32916
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53129607%2fwhy-injecting-javascript-code-is-a-bad-idea%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
is my code style has any security problem?
no. there is nothig wrong with dynamic code executed on the client. at least from security point of view (you should still control performance of it)
is my web page has security vulnerability?
no. you can't broke anything executing dynamic code on the client. "dynamic" code is executed in the same sandbox with the same privileges as your common js.
is this style has a javascript code injection vulnerability?
Some people use term "JavaScript Injection Attack" - to name side effects of $( userInput ).insertAfter( .. ); - when user can run some javascript from user's input (if userInput contains <script>...</script>) but it is not related to dynamic JS, it is more about dynamic HTML.
answered Nov 10 at 12:44
Roman Pokrovskij
4,27764978
add a comment |
is my code style has any security problem?
no. there is nothig wrong with dynamic code executed on the client. at least from security point of view (you should still control performance of it)
is my web page has security vulnerability?
no. you can't broke anything executing dynamic code on the client. "dynamic" code is executed in the same sandbox with the same privileges as your common js.
is this style has a javascript code injection vulnerability?
Some people use term "JavaScript Injection Attack" - to name side effects of $( userInput ).insertAfter( .. ); - when user can run some javascript from user's input (if userInput contains <script>...</script>) but it is not related to dynamic JS, it is more about dynamic HTML.
answered Nov 10 at 12:44
Roman Pokrovskij
4,27764978
add a comment |
is my code style has any security problem?
no. there is nothig wrong with dynamic code executed on the client. at least from security point of view (you should still control performance of it)
is my web page has security vulnerability?
no. you can't broke anything executing dynamic code on the client. "dynamic" code is executed in the same sandbox with the same privileges as your common js.
is this style has a javascript code injection vulnerability?
Some people use term "JavaScript Injection Attack" - to name side effects of $( userInput ).insertAfter( .. ); - when user can run some javascript from user's input (if userInput contains <script>...</script>) but it is not related to dynamic JS, it is more about dynamic HTML.
answered Nov 10 at 12:44
Roman Pokrovskij
4,27764978
is my code style has any security problem?
no. there is nothig wrong with dynamic code executed on the client. at least from security point of view (you should still control performance of it)
is my web page has security vulnerability?
no. you can't broke anything executing dynamic code on the client. "dynamic" code is executed in the same sandbox with the same privileges as your common js.
is this style has a javascript code injection vulnerability?
Some people use term "JavaScript Injection Attack" - to name side effects of $( userInput ).insertAfter( .. ); - when user can run some javascript from user's input (if userInput contains <script>...</script>) but it is not related to dynamic JS, it is more about dynamic HTML.
answered Nov 10 at 12:44
Roman Pokrovskij
4,27764978
edited Nov 11 at 10:43
answered Nov 10 at 12:44
Roman Pokrovskij
4,27764978
answered Nov 10 at 12:44
Roman Pokrovskij
4,27764978
answered Nov 10 at 12:44
Roman Pokrovskij
4,27764978
4,27764978
add a comment |
add a comment |
Does my code style have any security problems?
Does my web page have any security vulnerability?
Does this style have a JavaScript code injection
vulnerability?
It is totally depend on your ASP code implemetation.
From your question, I don't see big security issue. However,
If you are not familiar with vulnerability or security, I would not recommend the code style.
Here are some reasons.
You opened your URL to public.
Even if you encode it, some dodge people will try to hack it. For example, from different URLs, hacker can decode it.
I prefer to hide it and don't give them a chance. Also you can use URL as more readable resource for search engine.If you don't use framework, you might need to implement filter of parameters to prevent Injection attack(SQL, JS). It takes time.
It is hard to maintain the code.
As your code is mixed with ASP and JS, it it getting harder when your code is bigger, especially, when you deal with View like HTML with JS in ASP code.
answered Nov 11 at 11:20
John
531410
add a comment |
Does my code style have any security problems?
Does my web page have any security vulnerability?
Does this style have a JavaScript code injection
vulnerability?
It is totally depend on your ASP code implemetation.
From your question, I don't see big security issue. However,
If you are not familiar with vulnerability or security, I would not recommend the code style.
Here are some reasons.
You opened your URL to public.
Even if you encode it, some dodge people will try to hack it. For example, from different URLs, hacker can decode it.
I prefer to hide it and don't give them a chance. Also you can use URL as more readable resource for search engine.If you don't use framework, you might need to implement filter of parameters to prevent Injection attack(SQL, JS). It takes time.
It is hard to maintain the code.
As your code is mixed with ASP and JS, it it getting harder when your code is bigger, especially, when you deal with View like HTML with JS in ASP code.
answered Nov 11 at 11:20
John
531410
add a comment |
Does my code style have any security problems?
Does my web page have any security vulnerability?
Does this style have a JavaScript code injection
vulnerability?
It is totally depend on your ASP code implemetation.
From your question, I don't see big security issue. However,
If you are not familiar with vulnerability or security, I would not recommend the code style.
Here are some reasons.
You opened your URL to public.
Even if you encode it, some dodge people will try to hack it. For example, from different URLs, hacker can decode it.
I prefer to hide it and don't give them a chance. Also you can use URL as more readable resource for search engine.If you don't use framework, you might need to implement filter of parameters to prevent Injection attack(SQL, JS). It takes time.
It is hard to maintain the code.
As your code is mixed with ASP and JS, it it getting harder when your code is bigger, especially, when you deal with View like HTML with JS in ASP code.
answered Nov 11 at 11:20
John
531410
Does my code style have any security problems?
Does my web page have any security vulnerability?
Does this style have a JavaScript code injection
vulnerability?
It is totally depend on your ASP code implemetation.
From your question, I don't see big security issue. However,
If you are not familiar with vulnerability or security, I would not recommend the code style.
Here are some reasons.
You opened your URL to public.
Even if you encode it, some dodge people will try to hack it. For example, from different URLs, hacker can decode it.
I prefer to hide it and don't give them a chance. Also you can use URL as more readable resource for search engine.If you don't use framework, you might need to implement filter of parameters to prevent Injection attack(SQL, JS). It takes time.
It is hard to maintain the code.
As your code is mixed with ASP and JS, it it getting harder when your code is bigger, especially, when you deal with View like HTML with JS in ASP code.
answered Nov 11 at 11:20
John
531410
answered Nov 11 at 11:20
John
531410
answered Nov 11 at 11:20
John
531410
answered Nov 11 at 11:20
John
531410
531410
add a comment |
add a comment |
If you are encrypting client-side, it is possible for the user to actually see what is being sent to the application before it gets encrypted. There are tools to monitor client-side activity (such as YSlow) and a malicious user with technical expertise could use it to detect possible front-end vulnerabilities. Remember to never trust user input, and allowing an user to pass inject code in your app is never a good choice.
answered Nov 12 at 6:55
Otávio Monteagudo
32916
add a comment |
If you are encrypting client-side, it is possible for the user to actually see what is being sent to the application before it gets encrypted. There are tools to monitor client-side activity (such as YSlow) and a malicious user with technical expertise could use it to detect possible front-end vulnerabilities. Remember to never trust user input, and allowing an user to pass inject code in your app is never a good choice.
answered Nov 12 at 6:55
Otávio Monteagudo
32916
add a comment |
If you are encrypting client-side, it is possible for the user to actually see what is being sent to the application before it gets encrypted. There are tools to monitor client-side activity (such as YSlow) and a malicious user with technical expertise could use it to detect possible front-end vulnerabilities. Remember to never trust user input, and allowing an user to pass inject code in your app is never a good choice.
answered Nov 12 at 6:55
Otávio Monteagudo
32916
If you are encrypting client-side, it is possible for the user to actually see what is being sent to the application before it gets encrypted. There are tools to monitor client-side activity (such as YSlow) and a malicious user with technical expertise could use it to detect possible front-end vulnerabilities. Remember to never trust user input, and allowing an user to pass inject code in your app is never a good choice.
answered Nov 12 at 6:55
Otávio Monteagudo
32916
answered Nov 12 at 6:55
Otávio Monteagudo
32916
answered Nov 12 at 6:55
Otávio Monteagudo
32916
answered Nov 12 at 6:55
Otávio Monteagudo
32916
32916
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53129607%2fwhy-injecting-javascript-code-is-a-bad-idea%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
You might get a better response on codereview.stackexchange.com and/or security.stackexchange.com
– Ian Kemp
Nov 5 at 8:50
If you directly insert values from the query string enter the generated code then you have a severe vulnerability. If you are just writing code like in your sample where you statically determine the generated code then you may be safe but there is a better way to write such code.
– Aluan Haddad
Nov 8 at 19:49