IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [javascript]

The common name for the language used primarily for scripting in web browsers. It is not related to the Java language. Standardized as ECMAScript, its dialects/implementations include JavaScript and JScript.

1354 questions
47
votes
9 answers

How can I ensure my API is only called by my client?

I have an API Key to a paid service. This API is invoked from an unauthenticated page on my site. I am proxying the request to the paid service through my backend server. I have also added CORS on the API to make sure it is called from my site. THe…
Johnny Donalistic
  • 617
  • 1
  • 5
  • 5
25
votes
3 answers

Can JavaScript be used to capture the user's screen?

Can JavaScript be used to capture the user’s screen? If so, is this functionality available in any JS framework? (I do not need code examples: I am mainly asking to form an opinion about the security capabilities of JavaScript.)
x457812
  • 484
  • 2
  • 5
  • 12
25
votes
5 answers

What's a way to safely test run untrusted JavaScript code?

I sometimes want to run untrusted JavaScript, mainly for CTFs. It can be obfuscated JavaScript code or something like JSFuck. The point is, I know nothing about the code and just want to quickly see its output. Of course, I don't want the JavaScript…
ChocolateOverflow
  • 3,482
  • 4
  • 18
  • 35
24
votes
5 answers

How to scan Javascript for malicious code?

We're planning to give the possibility to write community-driven extensions in javascript for our public webapp and let people to customize their instances of the application. The problem is to monitor the quality of extensions. What would you…
Igor
  • 597
  • 2
  • 5
  • 11
15
votes
1 answer

How is it possible to poison JavaScript Array constructor and how does ECMAScript 5 prevent that?

From Django documentation of their JsonResponse: Before the 5th edition of ECMAScript it was possible to poison the JavaScript Array constructor. For this reason, Django does not allow passing non-dict objects to the JsonResponse constructor by…
gaazkam
  • 6,015
  • 11
  • 28
  • 45
12
votes
4 answers

How to step through malicious JavaScript?

There's a Facebook virus doing the rounds: Your face in 20 years (safe link, but don't follow the instructions). It clearly grabs some Javascript from a url (e.g. changeups.info/age/u.php?0.5069423061795533) and runs it on your page, which posts on…
fredley
  • 1,455
  • 1
  • 16
  • 25
11
votes
6 answers

Mobile Carrier Javascript Injection

So it appears that T-Mobile in the UK are injecting a javascript file into the head of files that are transfered over their mobile data network. The file in question is 1.2.3.8/bmi-int-js/bmi.js (contents below) My question is this How does one…
user102804
11
votes
3 answers

Is there a particular security weakness from using server-side JavaScript?

I never used JavaScript server side, actually I didn't even know that it would be used or useful there. Now that I found out that it is possible and there is a quite active community, I am wondering if there are some known drawbacks when used on the…
smiley
  • 1,204
  • 2
  • 13
  • 21
10
votes
2 answers

Similarities among all/most malicious JavaScript

I'm working on a web app that notifies users on whether or not the JavaScript that they entered is malicious. I'm using this article (Examples of malicious javascript) for reference. Is it possible to create an equation with coefficients…
Suhass
  • 121
  • 1
  • 3
7
votes
1 answer

How is this site forcing page reloads with JavaScript disabled?

I have disabled JavaScript using the Firefox extension uMatrix and yet some websites are still able to force page reloads at an interval referenced by a script on that page. How is this possible please, and can I prevent it? For example,…
Tom Brossman
  • 313
  • 1
  • 2
  • 7
5
votes
2 answers

User entered Javascript security implications

I'm creating a web site that lets people create their own site using a subdomain. Are there any security implications by letting people add custom javascript to their pages? If so, which ones? XSS? Cookie sniffing? Could I make it work by sanitising…
Opptatt Jobber
  • 53
  • 3
4
votes
1 answer

What are the best practices for (token based) security in a webapp?

I am designing a web application using Spring MVC with REST controllers and Angular JS pages which communicate with these REST controllers. I've implemented a token based security/ authorization mechanism that is working. (This one is based off the…
E. V. d. B.
  • 141
  • 1
  • 3
4
votes
3 answers

what's the absolute worst damage javascript could do to a client?

Assuming I have a defenseless client computer running Windows 7 that will happily allow any javascript code it comes across on the internet, what's the worst damage that could be inflicted? I'm unclear on javascript's "reach". Could it erase files…
Drew
  • 401
  • 3
  • 7
3
votes
2 answers

Is is possible to create a "signature" for a piece of JavaScript

Bear with me, I may have asked this question in a botched way. So I need some JavaScript code that creates a signature of JavaScript that is stored in a string. Here is an example: presignature = "; I need this…
Uma
  • 31
  • 1
3
votes
1 answer

Securely identify clients by web app

I have a web service S that provides certain services. There are two web apps, A1 and A2, both on different servers within the same VPN, which I trust and want to grant access to my web service. +------+ HTTPS +-----+ HTTPS +------+ | …
digory doo
  • 131
  • 1
1
2 3 4