javascript - how to prevent JS hijacking in public computers - Stack Overflow

admin管理员组

文章数量:1291660

This problem is regarding a JS hijacking scenario, and here it is :

Say Mr. Good has a website called "iamtooinnocent" which loads a "x.js" file to perform some particular tasks, and Mr. Bad is an evil cyber cafe owner, who has set a redirect rule in place that whenever any surfer using his cyber cafe visits Good's website then when the "x.js" file will be requested it will simply redirect it to some other evil domain which serves say a different "x.js" file with evil code in it, this way Good's website will never e to know that it has got a different JS file than what it has requested.

I hope I have explained the scenario properly, so my problem is how can this be prevented? Is there really a way to prevent this? Can this be prevented by serving the JS file using HTTPS, though I am not so sure? Can anybody give me some heads up regarding this?

Thanks in advance.

This problem is regarding a JS hijacking scenario, and here it is :

Say Mr. Good has a website called "iamtooinnocent." which loads a "x.js" file to perform some particular tasks, and Mr. Bad is an evil cyber cafe owner, who has set a redirect rule in place that whenever any surfer using his cyber cafe visits Good's website then when the "x.js" file will be requested it will simply redirect it to some other evil domain which serves say a different "x.js" file with evil code in it, this way Good's website will never e to know that it has got a different JS file than what it has requested.

I hope I have explained the scenario properly, so my problem is how can this be prevented? Is there really a way to prevent this? Can this be prevented by serving the JS file using HTTPS, though I am not so sure? Can anybody give me some heads up regarding this?

Thanks in advance.

• javascript
• security

Share Improve this question Follow asked Oct 28, 2009 at 16:05 user198214user198214 6

• 2 Even if you could fix that, what's stopping the cafe owner from redirecting the entire domain to a phishing page? It might be a moot thing to try and prevent. – DA. Commented Oct 28, 2009 at 16:16
• @DA: I pletely agree. I'm also of the opinion that your sites security should never depend on the user having a "well-behaved" javascript file. You should always be validating client input server side anyways. – snicker Commented Oct 28, 2009 at 16:18
• @DA Because this strategy allows the cyber cafe owner to perform actions using your account/credentials, which redirecting to a new page does not. – AaronSieb Commented Oct 28, 2009 at 16:33
• @AaronSieb the evil CyberCafe owner could also use a keylogger to steal credentials, browser plugins to do it despite the page es from HTTPS or HTTP, etc. – Miguel Ventura Commented Oct 28, 2009 at 17:02
• I agree with you all, I do have a server-side input validation system in place, which checks all user inputs. @AaronSieb this is what I meant, serving a different JS file in this case without redirecting the whole site is actually problematic, because in such case that JS file can steal user credentials and perform some tasks against the interest of the site owner, it seems like it's a pretty tough issue. @Miguel I understand the keylogger and browser plugin thing, and probably I can't help much in this case without making site user's lives plicated. anyway thanx all for ur ments – user198214 Commented Oct 29, 2009 at 3:48

 |  Show 1 more ment

4 Answers 4

Sorted by: Reset to default 7

HTTPS is standard for fighting man-in-the-middle attacks like one you've described. It encrypts all traffic using public certificate of your site. So it's not possible to change it. And the certificate itself is verified by third party certificate authorities.

But it can't guarantee 100% security because it's possible to create a local fake certificate authorities available only in cafe.

If the puter owner is against you....you will have a hard time. The browser guarantees certain security rules, but the puter owner can modify it to his evil heart's content and you would be none the wiser...

Rule #1 in web security boils down to: NEVER trust the client.

Remember that clients can do just about anything with the data you are sending them, and the data they send YOU:

• modify cookies for subsequent requests
• alter or add/remove other HTTP headers, spoof User Agents
• Specify any bination of data in GET/POST

You should assume any data ing IN from HTTP to your application is a malicious, tained, evil mess, and sanitize accordingly.

Is this the sort of cyber cafe where they provide the puters? If so, you just have to trust the owner, because you can't have security on somebody else's machine. If nothing else, they can install a hardware keylogger.

If this is the sort where they provide a wireless connection and you bring your laptop, HTTPS should be a safeguard. If your browser handles certificates and SSL properly, it should be possible to go to a site that has a verified certificate and be safe. If there's any problems in your browser, of course, the cyber cafe owner is in an ideal position to take advantage of it, so you might want to keep an eye on known vulnerabilities.

The best move is not to patronize cyber cafes run by evil owners, but that can be difficult in some parts of the world.

本文标签： javascripthow to prevent JS hijacking in public computersStack Overflow