How easy is to hack Javascript (in a browser)?
My question is regarding Javascript security.
Imagine an auth system. You're using a javascript framework like backbone or angularjs and you need to use secure endpoints. That is not a problem, the server always have the last word and will see if you're able to do what you want.
But what if you need a little security without involving the server? Is that impossible?
For example, you have your client-side routing system and you wants a concrete route to be protected to logged users. So you ping the server asking if you're supposed to visit protected routes and you go on.
The problem is that when you ping the server, you store the response on a variable, so the next time you go to a private route, it will check that if you already are logged in (no ping to the server) and depending on the response it will go or not.
So here come my question. How easy is for a user to modify that variable and get access?
My security (and javascript) knowledge is not that big. But if a variable is not in global scope and is in the private part of a module pattern which only have getter but not setters. Even in that case, can you hack the thing out?
We were discussing authentication systems with this kind of frameworks, but if relying in javascript is not an option, I see no way of doing this kind of things.
My question is regarding Javascript security.
Imagine an auth system. You're using a javascript framework like backbone or angularjs and you need to use secure endpoints. That is not a problem, the server always have the last word and will see if you're able to do what you want.
But what if you need a little security without involving the server? Is that impossible?
For example, you have your client-side routing system and you wants a concrete route to be protected to logged users. So you ping the server asking if you're supposed to visit protected routes and you go on.
The problem is that when you ping the server, you store the response on a variable, so the next time you go to a private route, it will check that if you already are logged in (no ping to the server) and depending on the response it will go or not.
So here come my question. How easy is for a user to modify that variable and get access?
My security (and javascript) knowledge is not that big. But if a variable is not in global scope and is in the private part of a module pattern which only have getter but not setters. Even in that case, can you hack the thing out?
We were discussing authentication systems with this kind of frameworks, but if relying in javascript is not an option, I see no way of doing this kind of things.
No comments:
Post a Comment