...

View Full Version : User Javascript: Question on security.



LordDan
05-19-2009, 06:45 PM
Hey guys,

I'm new to the forums and have a question relating security with user JavaScript. This post will be somewhat long winded as i like to explain in full detail.

The Aim

I have been developing the 3rd version of my website for awhile now. The website allows a user to create their own Virtual Pet Game by simply signing up, choosing a game name and clicking create. All the files are then generated (Core Language is PHP) and then they can edit their game, add new items and pets and so on using their games control panel, much like a built in backend admin panel.

With the upcoming 3rd version, I wanted to allow users to be able to create their own features and games using JS. And i would setup some prebuilt hidden functions like setMoney(xxx); for changing their game money etc.
These functions are hidden and cannot be edited, and use Ajax to work the required PHP to change the money.

However, i know allowing user JS is a security flaw. The users cannot upload their own JS files, but one is generated for them. They can then put JavaScript into this file (Via a textarea within their cPanel) and click the save button.

From here I use PHP's str_ireplace() function to remove JS (Or parts of functions) that could potentially be dangerous, as well as a few other bits. So far I have.


$NewJs = str_ireplace("getHTTPObject", "", $NewJs);
$NewJs = str_ireplace("onreadystatechange", "", $NewJs);
$NewJs = str_ireplace("request.open", "", $NewJs);
$NewJs = str_ireplace("request.send", "", $NewJs);
$NewJs = str_ireplace("readyState", "", $NewJs);
$NewJs = str_ireplace("JSON", "", $NewJs);
$NewJs = str_ireplace("document.cookie", "", $NewJs);
$NewJs = str_ireplace("XSS", "", $NewJs);
$NewJs = str_ireplace("iframe", "", $NewJs);
$NewJs = str_ireplace("jQuery", "", $NewJs);
$NewJs = str_ireplace("ajax", "", $NewJs);
$NewJs = str_ireplace("$.get", "", $NewJs);
$NewJs = str_ireplace("<script", "", $NewJs);
$NewJs = str_ireplace("</script>", "", $NewJs);
$NewJs = str_ireplace("&gt;script", "", $NewJs);
$NewJs = str_ireplace("XMLHttpRequest", "", $NewJs);
$NewJs = str_ireplace("ActiveXObject", "", $NewJs);

What I would like to know is if I have missed anything important, or if there is another way of safely allowing JS whilst securing potentially dangerous functions.

[EDIT:] For purpose of clarity. Here is a hospital feature using some prebuilt functions that a user could make themselves.



function Hospital(money,petHealth,petMaxHealth){

if(money < 100){

document.getElementById('MyHospital').innerHTML = "Sorry, but you cannot afford my medical services.";

} else {

setHealth(petMaxHealth); // Prebuilt function to set pet health back to full.
var newMoney = money - 100;
setMoney(newMoney); // Prebuilt function to change money.

document.getElementById('MyHospital').innerHTML = "Don't worry, your pet will be fine. <br /> You paid 100 for medical treatment.";

}

}


This of course will allow users to make their game more custom. But security is an issue before i consider making it an available feature.

Thanks in advance. :thumbsup:

Philip M
05-19-2009, 07:47 PM
Javascript is inherently insecure, and if there is a sufficient incentive (such as a prize, competition etc.) then the script kiddies will surely crack it.

arthurakay
05-19-2009, 10:17 PM
Javascript is inherently insecure, and if there is a sufficient incentive (such as a prize, competition etc.) then the script kiddies will surely crack it.

I have to agree 100%. Allowing users to write scripts of any kind is just a bad idea. Look at MySpace as an example... profile pages with all kinds of crap on them.

The bottom line is that JavaScript opens the door for things like cross-site scripting, among other security holes. I would aviod this idea altogether if I were you.

rnd me
05-19-2009, 10:47 PM
i would use json to allow modifiable parameters without arbitrary logic code.
JSON is very safe, but the code you posted is basically useless (no offense)

for example:
while you would find document.cookie,
you would miss document['cookie'] or better yet: window['docu'+'ment']['cook'+ie'];

as creative as you can get, someone with more time can find a way to be more creative.
- String.fromCharCode(0x22, 0x32, 0x22);
- eval("DOCUMENT".toLowerCase());

see what i mean?

LordDan
05-19-2009, 11:36 PM
Thanks for all replies. I've scapped the above.


you would miss document['cookie'] or better yet: window['docu'+'ment']['cook'+ie'];

Thats a good point, a completely forgot of this.


i would use json to allow modifiable parameters without arbitrary logic code.

I'm still looking into JSON, which you suggested on, WebDeveloper forums i think it was (Or someone with a similar name). I usually ask across a few boards as everyone has a different knowledge base.

Thanks all.

Regards.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum