Reputation: 12438
How to handle malicious JS when allowing users to upload their own JS
We have a website that allows users to upload their own JavaScript which gets loaded with the site's pages. Problem is if user adds a malicious script (eg. keylogger). Can anyone give any idea(s) on how to handle this?
Upvotes: 4
Views: 235
Answers (1)
Reputation: 6629
Wow, you are creating an attacker's playground! If you let the user (attacker) upload his own JavaScript, then there are so many malicious things he can do.
I disagree with the people who are talking about scanning the JavaScript for viruses. Anti-virus software searches for known bad signatures in software and mainly targets malicious software that has affected a large number of people. Remember: each signature that an anti-virus software checks against was the result of many man hours worth of analysis of a known threat. It does not detect zero-day threats! When you let a user write his own JavaScript, he is not limited to these known bad signatures. He can do whatever he wants, and there is no way that anti-virus software can tell if what is happening is malicious or intended by business logic.
Let's start to illustrate some concerns if you allow a user (= attacker) to upload his own JavaScript:
- Unless you put httpOnly on all of your cookies, attacker can read them. For example, he may be able to hijack sessions.
- Attacker can read keyboard and mouse events. For example, he may be able to steal user passwords.
- How do you prevent cross-site-request-forgery? By letting attacker upload his own JavaScript, he can bypass your protection and perform any action he wants. For example, he could create a DoS attack that makes every user upload content of his choice. Then, whenever somebody comes to your server, it takes forever to load a page because there is too much JavaScript to download before anything can happen.
- Attacker can read anybody else's DOM and send it to anywhere. If there is anything private or sensitive in the DOM, attacker has it.
- Attacker can DoS any other user with alerts or various other methods.
If you want, you can play the cat-and-mouse game: you propose a way to prevent the issues I mention above, then I tell you how the attacker can bypass it, then you alter your solution, then I alter my attack, and so on. You might be able to prevent some things, but you won't be able to prevent all of the attacks. Security is hard!
Bottom line: don't do it!
Upvotes: 2
Related Questions
- how to prevent HttpPost that is made from javascript that dosent belong to the project in mvc?
- How to secure an app that allows users to insert JavaScript?
- Security Issue - Allowing user to add his own JavaScript (only during runtime)
- Secure way of inserting dynamic values in external JavaScript files
- Securing against JS injection with ASP.NET MVC
- Prevent Unauthorized access to JavaScript files
- handle javascript injection in asp.net mvc
- Javascript injection Prevention: where do I start?
- Prevent malicious user from executing JavaScript
- Best practice for preventing saving malicious client script in HTML