preventing javascript injections from navigation bar - javascript

I was playing around with cookies and stuff, until I noticed a website saying that you can easily set cookies via the navigation bar with one simple code;
javascript: document.cookie="SESSID=IDOFSESSIONHERE;path=/"
while doing this, I could login on one computer, copy the cookie data to another computer, and set the same cookie via this code, after a refresh I was logged in with the same user.
(just on a simple webpage I made myselve)
this seems like a security issue to me, I mean, ofcourse they would first need to get the cookie data, but without that, I imagine that you could do alot of damage with the javascript: from the cookies aside.
Is there any way to prevent the usage of javascript: from the navigation bar?

The user is the security issue not Javascript. The user gave you the session id - i.e. do you give out your keys/passwords to others? If you do what can the site do? Send around a blioke to look over your sholder all the time

Javascript is only excecuted client side, (exception is nodejs). So no harm can be done to the server.

Javascript runs in the users browser.We dont have any control over it.
The thing you can do is to obfuscate or hash variable names and/or values.
See here

You cannot prevent JavaScript usage from the navigation bar. I could visit your website and use the Internet Explorer debug tool, Chrome debug tool or FireBug to launch JavaScript code on your page.
Since JavaScript runs on the on the visitor's local computer, you will have no control over it. Only the visitor has control over what cookies will be stored in the browser.
What you need to do is to take measurements of security server-side. But yes, all authentication-processes that depend on a session cookie will have the security issue you are explaining.

Related

How to hide/secure session/encryption key in client side javascript from addon/extension

This is not a question if a web application can be safe/secure to use !!
But if I have a session or encryption key and like to hide it as good as possible on the client side with javascript - what is the best approach?
I wanted to use sessionStorage until I found out that any extension can read this from the content script at least in Chrome. In my view this is a big mistake from the developers as they hide the web pages javascript from the extension but allow it to see web-storage. Everywhere it is stated that the extension can only see the DOM but I do not think most people think that this also include web-storage!
So how can I secure a session key so it is away from reach of an extension? Unable to encrypt it as I then just need to hide the key. The problem is that the session have to be valid for all pages of the site so I can not just keep it in javascript as it is refreshed on each page load.
A cookie is in my view just as bad!
NB: Do not know if this is also a problem for other browsers
An extension, given permission to access your page, can do anything.
A code injected as a <script> tag from a content script into the DOM will execute regardless of your CSP in the context of your page, will full access to your JS context.
That is not to even to mention chrome.debugger API.
So no, you cannot secure your client-side data from extensions that user consented to run on your page, just as you can't secure your data from the browser itself.

how to code for users with disabled cookies and popups

Here's the situation: I'm redesigning our company's public facing website using ASP.NET, VB.NET and some javascript/jquery. Some of the features I'm adding require page reloads (which register as popups) and cookies. Works great if everything is enabled. But I've noticed on some browsers (such as Firefox) I still get prompted to ok these actions, retain these cookies, etc. Now I can code some contingencies for simpler pages for users who will not or can not enable these features, but I'd like to find a way to make it as simple as possible to enable the full features. From what I've read, there's no way I can actually force it to happen the way you can force a browsers document mode by settings in the web.config file, but I am hoping there is some way to give them a button to click (or something similar) where it will enable what I need. Is there a way to do this programmatically? what I'm looking for is some code that will make the changes, instead of directing them to go into e.g. Internet Explorer security settings, which most end users find tedious if not incomprehensible.
Advice?
You can avoid using cookies. Use Session or a database backend for things you would normally use cookies for. For popups, use overlaid divs such as Ajax Control Toolkit Modal Popup Extender or jQuery UI Dialog instead of starting a new browser window.
But really, ASP.NET is designed to function with cookies. If you're users aren't using them, tell them they're penalizing themselves.
Certain browser features are ONLY user-configurable for security reasons. You cannot provide a button to change these settings because they would then not user-configurable.
All you can do is warn the user.
JavaScript cannot change a client browser's setting due to security reason. Otherwise, all hell will break loose.
Note: you can if you create an executable program, and a user runs on his/her computer.
However, you should never change a user's browser setting.
Instead you should give the warning and instruction to a user which is a proper way of doing it.
Disable Javascript
Disable Cookie

How do you keep content from your previous web page after clicking a link?

I'm sorry if this is a newbie question but I don't really know what to search for either. How do you keep content from a previous page when navigating through a web site? For example, the right side Activity/Chat bar on facebook. It doesn't appear to refresh when going to different profiles; it's not an iframe and doesn't appear to be ajax (I could be wrong).
Thanks,
I believe what you're seeing in Facebook is not actual "page loads", but clever use of AJAX or AHAH.
So ... imagine you've got a web page. It contains links. Each of those links has a "hook" -- a chunk of JavaScript that gets executed when the link gets clicked.
If your browser doesn't support JavaScript, the link works as it normally would on an old-fashioned page, and loads another page.
But if JavaScript is turned on, then instead of navigating to an HREF, the code run by the hook causes a request to be placed to a different URL that spits out just the HTML that should be used to replace a DIV that's already showing somewhere on the page.
There's still a real link in the HTML just in case JS doesn't work, so the HTML you're seeing looks as it should. Try disabling JavaScript in your browser and see how Facebook works.
Live updates like this are all over the place in Web 2.0 applications, from Facebook to Google Docs to Workflowy to Basecamp, etc. The "better" tools provide the underlying HTML links where possible so that users without JavaScript can still get full use of the applications. (This is called Progressive Enhancement or Graceful degradation, depending on your perspective.) Of course, nobody would expect Google Docs to work without JavaScript.
In the case of a chat like Facebook, you must save the entire conversation on the server side (for example in a database). Then, when the user changes the page, you can restore the state of the conversation on the server side (with PHP) or by querying your server like you do for the chat (Javascript + AJAX).
This isn't done in Javascript. It needs to be done using your back-end scripting language.
In PHP, for example, you use Sessions. The variables set by server-side scripts can be maintained on the server and tied together (between multiple requests/hits) using a cookie.
One really helpful trick is to run HTTPFox in Firefox so you can actually monitor what's happening as you browse from one page to the next. You can check out the POST/Cookies/Response tabs and watch for which web methods are being called by the AJAX-like behaviors on the page. In doing this you can generally deduce how data is flowing to and from the pages, even though you don't have access to the server side code per se.
As for the answer to your specific question, there are too many approaches to list (cookies, server side persistence such as session or database writes, a simple form POST, VIEWSTATE in .net, etc..)
You can open your last closed web-page by pressing ctrl+shift+T . Now you can save content as you like. Example: if i closed a web-page related by document sharing and now i am on travel web page. Then i press ctrl+shift+T. Now automatic my last web-page will open. This function works on Mozilla, e explorer, opera and more. Hope this answer is helpful to you.

Setting cookies within an iFrame

I know this is a very talked about subject but just wanted to check something with you knowledgeable people.
I've got a domain, say domain-A, that is out of my control, housing an application from domain-B, developed by me, in an iFrame. The application within the iFrame uses cookies a lot. Should this work?
I'm not trying to read cookies between domain-A and domain-B, I purely want to set cookies in domain-B and read them in domain-B.
All seems fine in Chrome but IE doesn't want to play the game.
Can anybody give me some guidance please?
Thanks,
Andy.
From the server point of view, this should work fine. Your domain B will receive cookies from the IFRAME, as if it were just another web-page.
From the client side: sending the cookie could depend on policies set by the browser, of even by the user. Fiddle with the security level of your domain and the cookie settings in IE to get a hint of what is going on.

Debugging JavaScript cookies

I'm debugging a site that sets cookies via javascript, and I'd like to know exactly which lines are setting cookies as I run the page. Simply combing through the script is not an option because its so convoluted.. (it's not my script if you're wondering)
How can I easily find out which lines are setting cookies? I'm new to this, so if you can explain the exact steps in doing this I'd be very thankful.
I presume that document.cookie is the only way to set cookies with javascript, but if there's another way(s) that'd definitely be helpful to know, as I might've ignored said lines in reading through the script..
Background: I'm on Windows XP
Yes, document.cookie is how JS sets cookies. But remember:
Other parts of the page can set cookies. Cookies are primarily set in the HTTP response headers. Plugins, like Flash, set tons of cookies too.
The actual JS code that sets the cookie may be buried in a library.
It is possible that some programmers obfuscate the JS code, so that a search for "cookie" will fail.
Things to do:
Install the Web Developer add-on. This will allow you to easily see, edit, or delete cookies, for a given page -- including 3rd party cookies.
It also allows you to View the response headers -- to easily see if the cookies are being set that way. (clear cookies, reload the page, click: Information --> View Response Headers.)
Install the Firebug add-on and then the Firecookie plugin for Firebug.
Firecookie can show cookie events as they are happening. This, coupled with observation and use of JS breakpoints (Firebug feature) can help you narrow down where cookies are being manipulated.
Use firebug & firecookie to find the cookie's name. then search that name through the JS files using your IDE search feature.

Categories