Securing jquery script from "FIREBUG"?

Question

I got to write a jquery script like

function DeleteFile(_FileID) { //ajax method to delete the file }

and the fileId id present in the rel attribute of the list

Now my problem is..when I called "DeleteFile" from firebug by passing the fileId(which i know from the rel), the file actually gets deleted... What could be the solution to this problem???

Answer 1

Firebug has access to all Javascript variables and functions. So do the developer tools in the various other browsers. You cannot get around this. (In fact, because Firebug and friends are run as browser plug-ins, they actually have more access to some things than normal javascript that's included in a web page)

Even if Firebug didn't exist, a malicious user could use other debugging or administrator tools to sniff the HTTP query that gets generated by your DeleteFile() function and replicate the query, putting any parameter he wanted into the GET or POST. A good example of the kind of tool that can do this is Fiddler, but there's plenty of others.

In short, the browser environment is a fundamentally insecure place, and your server should never blindly trust anything that comes from the browser.

Rather than trying to secure the DeleteFile() function from within the browser, which is impossible, you should instead secure the server-side code which DeleteFile() posts to. This code can be secured by only allowing files to be deleted which the user has legitimate access to delete.

Once that's in place, it really doesn't matter if the user starts hacking the front-end script with Firebug, because he won't be able to do anything which he isn't allowed to do anyway. The worst that can happen would be that his hacking would make the browser's display go out of sync with what is actually on the server, but that would be his own fault and his own problem; it shouldn't mean anything to the server.