I'm coding an application where I want to let the user learn javascript in this way: The user write javascript code on the browser like in an IDE. The user saves it and the code will be saved as a string in my backend No-SQL database (MongoDB/CouchDB). The user opens the application some days later and I pass that string to the web browser where the code will be executed with eval(). There will be only JSON data transferred between backend server and web browser. The server won't do anything on the code string, it will only save it directly into the database. Could this code possibly do any damage on the server side?

On the server-side , no. Unless the scripts runs on IE and create multiple files disk. Or make some request to your system inserting billions of new entries... So you have to take care with requests (flood control), be careful with IE and be careful with SQL injections. Examples Creating file in IE SQL Injection And the request I'm talking about could be something like: ajax.post("page_save_js.ext", "code=flood"); Then each time it runs it will insert a new code, flooding the server. StackOverflow controls this flood using captcha after some requests in a short amount of time.

javascriptsecurityxss

never_had_a_name

Reputation: 93266

Could browser javascript harm my backend server?

I'm coding an application where I want to let the user learn javascript in this way:

The user write javascript code on the browser like in an IDE.
The user saves it and the code will be saved as a string in my backend No-SQL database (MongoDB/CouchDB).
The user opens the application some days later and I pass that string to the web browser where the code will be executed with eval().

There will be only JSON data transferred between backend server and web browser. The server won't do anything on the code string, it will only save it directly into the database.

Could this code possibly do any damage on the server side?

Upvotes: 3

Answers (5)

Hendrik Brummermann

Reputation: 8312

Using a nosql database only makes you invulnerable against "SQL injection", but there are very similar QL injection attack vectors. So you still have to escape your data or use data safe APIs (the equivalent of prepared statements in the SQL world).

Some examples of NOSQL-injections are given on http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/ (Search for "NoSQL Doesn’t Mean No SQL Injection" within that page).

For the client side: If possible you should make sure that the java script is only delivered to the user who uploaded it unless the user is trusted. This includes a CSRF check on the login form. Wikipedia failed on this in the past.

Upvotes: 2

BrunoLM

Reputation: 100361

On the server-side, no. Unless the scripts runs on IE and create multiple files disk. Or make some request to your system inserting billions of new entries...

So you have to take care with requests (flood control), be careful with IE and be careful with SQL injections.

Examples

And the request I'm talking about could be something like:

ajax.post("page_save_js.ext", "code=flood");

Then each time it runs it will insert a new code, flooding the server. StackOverflow controls this flood using captcha after some requests in a short amount of time.

Upvotes: 3

John Fisher

Reputation: 22717

Your server code won't run the javascript unless you tell it to somehow, so that won't cause problems. (And of course you should avoid any SQL injection issues.)

However, if you provide sensitive information in the page (hidden or otherwise), or allow javascript to make ajax calls into methods on your servier, those can be security issues.

Upvotes: 2