Is there a way to verify that the user changed the jQuery/JavaScript with Firebug during the use of client-side page?
Add a comment
|
3 Answers
No, there is no way to verify this.
When it comes to input from the browser, you should always verify and validate. Never trust the client.
4 Comments
FredB
Too bad, it seems that with the passing years, there is something missing.
Oded
@achat.net - Something missing? The advice is not new.
FredB
Not the advice, the possibility to control is missing ! probably my english.
Oded
@achat.net - But that possibility was never there. As soon as the process runs on a different machine, it is out of your control (assuming you don't control the other machine).
No. The client is fundamentally unsafe and belongs to the user, not you.
Comments
Short answer it doesn't matter.
Long answer:
It matters if you are treating the JavaScript as part of your application structure, similar to how a SQL injection attack does bad things to your system. You should validate that anything that gets passed from the client is sanitized before being stored. The interesting attack vector here is if you allow me to persist elements into the structure of the web page and retrieve them at a later time. You have opened the doors to a reflected XSS attack (one of my favorites). This is indicative of a failure to sanitize user input and/or a failure to separate concerns UI from the system level code.
