View Full Version : Security risks of letting users execute javascript?

Jun 13th, 2008, 03:53 PM
I was thinking it would be kind of useful to have a console like thing on my website. If the site is a large website like this one, what kinds of security risks would be present if they could type in whatever text they wanted then execute it?
I don't think it would be bad at all because they can just as easily do that in the URL bar of their browser.

javascript: blah; blah;

Also, there wouldn't be a way for their scripts to affect other users, or the server. At least, none I can think of.

What are your thoughts/concerns?

Philip M
Jun 13th, 2008, 05:20 PM
What would be the point?

On the face of it it sounds a bad idea, but as you say their scripts would not affect other users or the server. Or not - what about AJAX?

Jun 13th, 2008, 10:10 PM
It would just be a fun little thing I guess. Do you think they could do any harm from it?

rnd me
Jun 13th, 2008, 10:46 PM
i don't see any harm, other than inviting attacks.

you can already do this using firebug, and selecting 'larger command line" under options.

i have greasmonkey going on this forum that uses vbforum apis to perform some of the tasks.

let the user arrange their bits however they want, it wont affect you, your site, or other users.

one thing to watch out for is letting people post their scripts, and having the code be accessible to others. if users blindly execute unknown scripts, they could compromise cookie info, and open the usual mimetype handler issues associated with javascript hacking.

Jun 13th, 2008, 10:56 PM
ahh right, XSS right? ya, I don't want that.