Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New to the CF scene
    Join Date
    May 2009
    Posts
    2
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Exclamation User Javascript: Question on security.

    Hey guys,

    I'm new to the forums and have a question relating security with user JavaScript. This post will be somewhat long winded as i like to explain in full detail.

    The Aim

    I have been developing the 3rd version of my website for awhile now. The website allows a user to create their own Virtual Pet Game by simply signing up, choosing a game name and clicking create. All the files are then generated (Core Language is PHP) and then they can edit their game, add new items and pets and so on using their games control panel, much like a built in backend admin panel.

    With the upcoming 3rd version, I wanted to allow users to be able to create their own features and games using JS. And i would setup some prebuilt hidden functions like setMoney(xxx); for changing their game money etc.
    These functions are hidden and cannot be edited, and use Ajax to work the required PHP to change the money.

    However, i know allowing user JS is a security flaw. The users cannot upload their own JS files, but one is generated for them. They can then put JavaScript into this file (Via a textarea within their cPanel) and click the save button.

    From here I use PHP's str_ireplace() function to remove JS (Or parts of functions) that could potentially be dangerous, as well as a few other bits. So far I have.

    Code:
    $NewJs  = str_ireplace("getHTTPObject", "", $NewJs);
    	  $NewJs  = str_ireplace("onreadystatechange", "", $NewJs);
    	  $NewJs  = str_ireplace("request.open", "", $NewJs);
    	  $NewJs  = str_ireplace("request.send", "", $NewJs);
    	  $NewJs  = str_ireplace("readyState", "", $NewJs);
    	  $NewJs  = str_ireplace("JSON", "", $NewJs);
    	  $NewJs  = str_ireplace("document.cookie", "", $NewJs);
    	  $NewJs  = str_ireplace("XSS", "", $NewJs);
    	  $NewJs  = str_ireplace("iframe", "", $NewJs);
    	  $NewJs  = str_ireplace("jQuery", "", $NewJs);
    	  $NewJs  = str_ireplace("ajax", "", $NewJs);
    	  $NewJs  = str_ireplace("$.get", "", $NewJs);
    	  $NewJs  = str_ireplace("<script", "", $NewJs);
    	  $NewJs  = str_ireplace("</script>", "", $NewJs);
    	  $NewJs  = str_ireplace("&gt;script", "", $NewJs);
    	  $NewJs  = str_ireplace("XMLHttpRequest", "", $NewJs);
    	  $NewJs  = str_ireplace("ActiveXObject", "", $NewJs);
    What I would like to know is if I have missed anything important, or if there is another way of safely allowing JS whilst securing potentially dangerous functions.

    [EDIT:] For purpose of clarity. Here is a hospital feature using some prebuilt functions that a user could make themselves.

    Code:
    function Hospital(money,petHealth,petMaxHealth){
    
      if(money < 100){
    
        document.getElementById('MyHospital').innerHTML = "Sorry, but you cannot afford my medical services.";
    
      } else {
    
        setHealth(petMaxHealth); // Prebuilt function to set pet health back to full.
        var newMoney = money - 100;
        setMoney(newMoney); // Prebuilt function to change money.
    
        document.getElementById('MyHospital').innerHTML = "Don't worry, your pet will be fine. <br /> You paid 100 for medical treatment.";
     
      }
    
    }
    This of course will allow users to make their game more custom. But security is an issue before i consider making it an available feature.

    Thanks in advance.
    Last edited by LordDan; 05-19-2009 at 08:08 PM. Reason: Fixed my bad grammer.

  • #2
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,314
    Thanks
    203
    Thanked 2,564 Times in 2,542 Posts
    Javascript is inherently insecure, and if there is a sufficient incentive (such as a prize, competition etc.) then the script kiddies will surely crack it.

  • Users who have thanked Philip M for this post:

    LordDan (05-20-2009)

  • #3
    Regular Coder
    Join Date
    Nov 2007
    Location
    Chicago
    Posts
    134
    Thanks
    2
    Thanked 9 Times in 9 Posts
    Quote Originally Posted by Philip M View Post
    Javascript is inherently insecure, and if there is a sufficient incentive (such as a prize, competition etc.) then the script kiddies will surely crack it.
    I have to agree 100%. Allowing users to write scripts of any kind is just a bad idea. Look at MySpace as an example... profile pages with all kinds of crap on them.

    The bottom line is that JavaScript opens the door for things like cross-site scripting, among other security holes. I would aviod this idea altogether if I were you.

  • Users who have thanked arthurakay for this post:

    LordDan (05-20-2009)

  • #4
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,461
    Thanks
    11
    Thanked 600 Times in 580 Posts
    i would use json to allow modifiable parameters without arbitrary logic code.
    JSON is very safe, but the code you posted is basically useless (no offense)

    for example:
    while you would find document.cookie,
    you would miss document['cookie'] or better yet: window['docu'+'ment']['cook'+ie'];

    as creative as you can get, someone with more time can find a way to be more creative.
    - String.fromCharCode(0x22, 0x32, 0x22);
    - eval("DOCUMENT".toLowerCase());

    see what i mean?
    Last edited by rnd me; 05-19-2009 at 11:49 PM.
    my site (updated 2014/10/20)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.3, IE11:9.2, IE9:2.7, IE10:2.6, FF:16.8, CH:47.5, SF:7.8, NON-MOUSE:37%

  • Users who have thanked rnd me for this post:

    LordDan (05-20-2009)

  • #5
    New to the CF scene
    Join Date
    May 2009
    Posts
    2
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Thanks for all replies. I've scapped the above.

    you would miss document['cookie'] or better yet: window['docu'+'ment']['cook'+ie'];
    Thats a good point, a completely forgot of this.

    i would use json to allow modifiable parameters without arbitrary logic code.
    I'm still looking into JSON, which you suggested on, WebDeveloper forums i think it was (Or someone with a similar name). I usually ask across a few boards as everyone has a different knowledge base.

    Thanks all.

    Regards.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •