Reputation: 5243
Secure programming in dynamic languages
Mistakes in memory management in C, C++, and their ilk are well known. I mostly program in dynamic, weakly typed languages. Are there issues which are particularly important in languages of this type? What language specific issues might I keep an eye out for?
I'm generally mindful of standard security issues, and try to think about the ways in which code could be misused, but am sure there are plenty of less superficial mistakes I could be making, and am interested in expanding my knowledge in this area.
Upvotes: 2
Views: 422
Answers (4)
Reputation: 4082
In the case of JavaScript the main vulnerabilities according to the EC-Council Secure Programmer Vol.1 are the following:
Cross Site Scriptting (XSS). In a XSS attack, attackers submit client-side executable scripts by inserting malicious Javascript, VBScript, ActiveX, HTML or Flash into vulnerable dynamic page and execute the script on the user's machine to collect the user's information.
Avoiding XSS:
Constrain Input:
- Define a codepage that decide wich characters are problemetic,
- Restrict variables to choose characters that are explicitly allowed.
- Filter metacharacters depending on the interpreter (HTML, browser and file system)
Aply canonicalization: - The canonicalization technique brinbgs the input to an appropiate from before validating the input.
Validate de input:
- Validate all external input for field length, data type, range, and for a white list to ensure acceptance of onlyknown unproblematic characters.
Encode Output
- Convert metacharacters e.g: <, >, and "",use HTML entities instead.
- Encode user-supplied output so that any inserted script are prevented from being transmitted to users in an executable form.
JavaScript Hijacking: Allows an unauthorized party to read confidential information. Occurs because most web-browsers that implement a security model do not anticipate the use of Javascript for communication. JavaScrpt Hijacking is generally carried out through cross-site request forgery. Coss-site request forgeryis an attack that enables the victim to sumbit one or more HTTP requests to a vulnerable website. This attack compromises data integrity and confidentiality, meaning an attacker can read the victim's information and modify the information stored on the vulnerable site.
A Javascript Hijacking attack can be defended:
- By declinig malicious requests.
- By preventing direct execution of the JavaScript response.
Upvotes: 1
Reputation: 71900
Just because you're not writing the lower level code doesn't mean that the language you are using, and therefore your app, wont have these kinds of security problems. So my answer to your question is to ensure that you stay up to date on the latest releases on whatever tools you are using. This is more of an issue for you if you host the environment in which your app run, otherwise it's more of a problem for users of your app if they have to run it on their machines.
Upvotes: 2
Reputation: 41858
If you use anything similar to eval() then there is risks for attacks, esp if you are trusting something from outside your application.
Upvotes: 2
Reputation: 116421
SQL Injection is a common attack which doesn't depend on type management. Generally, missing input validation is a very common reason for security issues.
Upvotes: 1
Related Questions
- What programming languages support running in a limited manner for security and what proven issues complicate this?
- Vulnerability in the functional programming paradigm?
- Interpreters and Dynamically Typed Languages
- Privacy in static languages
- How are implemented classes in dynamic languages?
- Secure Encryption in programming
- Robust Code framework?
- Writing programs in dynamic languages that go beyond what the specification allows
- How do you program differently in dynamic languages?
- Dynamic Languages and Variable Allocation