简体繁体 English

javascript全局变量 - 保护

[英]javascript global variables - protection

原文 2011-11-17 15:02:55 1 3 javascript/ security/ variables/ global

I am using some global variables on a web application, built on Html/Javascript. 我在Web应用程序上使用一些全局变量，构建在Html / Javascript之上。 I am using these variables across pages (or portions of them), and sometimes they are used as post data for ajax calls. 我在页面（或部分页面）中使用这些变量，有时它们被用作ajax调用的后期数据。 My question is: how secure is this? 我的问题是：这有多安全？ surely i can set different values for these variables (using a console for example) and then, the calls that rely on this var are made. 我当然可以为这些变量设置不同的值（例如使用控制台）然后，依赖于此变量的调用。 Imagine the user sets some Id that corresponds to something that he even doesn't have access to.. 想象一下，用户设置了一些与他甚至无法访问的内容相对应的Id。

How should this be done? 该怎么做？

Thanks in advance 提前致谢

3 个解决方案

There is nothing different about this from any web application, from a point of view of security. 从安全性的角度来看，任何Web应用程序都没有什么不同。

Anything sent from the browser must be treated as untrusted by the server. 从浏览器发送的任何内容都必须被服务器视为不受信任。 This includes URL parameters, form post data, cookies, http headers and anything controlled by javascript. 这包括URL参数，表单发布数据，cookie，http标头和由javascript控制的任何内容。 All these items can be manipulated by an attacker. 所有这些项目都可以被攻击者操纵。

Essentially, it doesn't matter what the values are in the client, you only need to worry about them when they hit your server in the form of a new HTTP request (this includes XHR). 从本质上讲，客户端中的值是什么并不重要，当他们以新的HTTP请求（包括XHR）的形式访问您的服务器时，您只需要担心它们。 Until that point, variables with bad values can't do any damage. 在此之前，具有错误值的变量不会造成任何损害。

Ensure your server can correctly authenticate the current user and only allow them access to data and actions that they are authorised to perform. 确保您的服务器可以正确地验证当前用户，并且只允许他们访问他们有权执行的数据和操作。 Ensure that all data received from the browser is checked to be correct (if known) or of the correct datatype and within expected limits, rejecting the data and aborting the action if it is not. 确保检查从浏览器接收的所有数据是正确的（如果已知）或正确的数据类型并且在预期限制内，拒绝数据并中止操作（如果不是）。

if you use jquery, you can use $.data() 如果你使用jquery，你可以使用$ .data（）

With this, you can associate the data with an element, thus a unauthorized user will not be able to access it 这样，您可以将数据与元素相关联，因此未经授权的用户将无法访问它

Javascript has runtime type identification (everything is a var like visual basic), its a loosely typed language. Javascript具有运行时类型标识（一切都像var basic一样），它是一种松散类型的语言。

Javascript has its own security model though Javascript虽然有自己的安全模型

User cannot access files (r/write) 用户无法访问文件（r / write）
It cannot access or look at user location, files, open windows without demand etc 它无法访问或查看用户位置，文件，无需打开窗口等

It is not possible to protect the source of your javascript file either or even pwd protecting it as this is better done server side. 不可能保护你的javascript文件的来源，甚至pwd保护它，因为这是更好的服务器端。

Even encryption or decryption doesnt work because somehow you need to tell your users the key 即使加密或解密也不起作用，因为不知何故，您需要告诉用户密钥

Worse, JavaScript can self-modify at run-time - and often does. 更糟糕的是，JavaScript可以在运行时自行修改 - 通常也是如此。 That means that the security threat may not be in the syntax or the code when it's delivered to the client, but it might appear once the script is executed. 这意味着安全威胁可能不会在语法或代码传递到客户端时出现，但是一旦脚本执行就可能出现。

There is no JavaScript proxy that parses and rejects malicious script, no solution that proactively scans JavaScript for code-based exploits, no external answer to the problem. 没有用于解析和拒绝恶意脚本的JavaScript代理，没有主动扫描JavaScript以获取基于代码的漏洞的解决方案，也没有解决问题的外部答案。 That means we have to rely on the browser developers to not only write a good browser with all the bells and whistles we like, but for security, as well. 这意味着我们不得不依赖浏览器开发人员，不仅要编写一个好的浏览器，而且还要考虑我们喜欢的所有花俏，但为了安全起见。