Can a JavaScript library included in my HTML make a request to my site using my cookie session?
Question
These days it's very common to include 3rd-party JS dependencies on your front-end project. Some ReactJS component, for example.
Is there anything that could prevent malicious code, bundled along my other dependencies and served by my own server, to, say, delete my account by making a simple AJAX call?
fetch("https://example.com/account", {
method: 'DELETE'
});
If so, does that mean we shouldn't be using cookies at all?
1 answers
solution1
1 ACCPTED 2017-11-08 11:55:55
This is a general problem for all open source libraries, both on the backend and frontend.
If an attacker can add malicious code to your frontend, the attacker can do anything your code can do. So cookies or jwt or some other authentication mechanism doesn't really matter much. The attacker could add a backchannel and get control (check http://beefproject.com/ )
This is even worse on the backend, where using backdoored code could potentially lead to someone compromising your server or stealing all your database contents.
With this in mind, you should make sure you are using the right libraries and do some vetting. People have been publishing backdoored versions of common javascript libraries in npm. Example: https://www.theregister.co.uk/2017/08/02/typosquatting_npm/
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.