Dynamic JavaScript creates some of the hazards you don't know _javascript tips

Dynamic JavaScript

JavaScript code is often combined dynamically through the server-side band and name. In the process of this combination, user-related information is saved to the JavaScript code. When the JavaScript script is routed to the browsing side, the client's JavaScript is immediately available. But the reality is that these scripts are likely to be introduced by third parties, and the introduction of these scripts is not limited by the homologous policy. As a result, a webpage controlled by an attacker is likely to be included in a dynamically generated JavaScript script and then observe the execution of the script and possible security issues. Because all JavaScript scripts and local scripts imported through SRC are shared with global variables. Thus, if such a dynamic script contains the user's privacy data, the attacker would be able to access the data by introducing the script. This approach is also referred to as a cross-station scripting inclusion (XSSI).

Language features of JavaScript

In the hazard of dynamic javacript, it mainly involves the scope of JavaScript and the inheritance of prototype chain 2 characteristics.

Scope issues

JavaScript scope problems believe that a lot of people have some understanding, do not understand the Internet can be looked at. Unlike Java and C + + languages where there is a block-level scope, JavaScript is just a function scope. This means that the JavaScript engine assigns a scope to each function. The scope of a variable defined inside a function is within a function, which is called a local scope. The following code clearly illustrates the difference between a global scope and a local scope.

Prototype chain

In JavaScript, each created function has a prototype (prototype) attribute, which is a pointer to an object that is intended to contain properties and methods that can be shared by all instances of a particular type. The main way to inherit in JavaScript is through the prototype chain. The basic idea is to make an application type inherit the properties and methods of another application type using the prototype. When accessing the properties of an object, JavaScript determines whether the current object itself contains this attribute, or if it does not exist, is found in the object's prototype properties.

Attack mode

Because the script label in HTM is not affected by the homology policy. As a result, script resources can be imported into a cross domain page. Although Cross-domain pages cannot directly access the source code of these scripts, you can observe how the script performs on the page after you import the script. If such a dynamic script package contains the user's privacy data, it is possible to disclose the user's data in this manner.

Attacks based on global variables

When a global variable is created in the imported javascrpit, the global variable can also be accessed by the JavaScript code in the page. So if a dynamic script assigns the user's privacy data to a global variable, the attacker can access the data through a global variable.

Suppose the JavaScript code in the normal script leak.js is as follows:

(function () {
 Window.secret = "345a8b7c9d8e34f5";
}) ();

As you can see, this script assigns the user's privacy data to a Windows global variable.

The code for the malicious site is:

<script src= "Http://www.good.com/leak1.js" ></script>
<script>
 var user_data= Window.secret; 
 Send user data to hacker
 Sendstolendata (user_data);
</script>

When a user accesses a Web site that contains the malicious code above, the site uses the Window object to retrieve the user data and send it to the attacker.

Redefining Global API attacks

Because of the dynamic nature of JavaScript, many functions can be overridden by attackers, even those with JavaScript built-in functions. If a dynamic JavaScript script passes the privacy data through a built-in function in a system, the attacker can get the user's privacy data by rewriting the function before the function is called.

Suppose the code for JavaScript in the normal script leak.js is as follows:

(function () {
 var secret = "345a8b7c9d8e34f5";

 Json.stringify (secret);
}) ();

As you can see, in this code, you invoke a method that's taken in the JavaScript language JSON.sttringify() . And this method can be completely exploited by hackers.

Here is the code in the malicious site:

<script type= "Text/javascript" >
 json.stringify = function (user_data) {
  sendstolendata (user_data);
 }
</script>
<script type= "Text/javascript" src= "Http://www.good.com/leak.js" ></script>

When a user visits this site, because the JSON.strinify() method has been overridden by an attacker, when the code in the imported Leak.js executes, the invoked JSON.stringify() method is, in effect, invoking the method written by the attacker. So that the user's information will be stolen.

Prototype tampering

As I've said before, JavaScript is based on the prototype chain. When accessing a property of an object, the JavaScript interpreter searches through the prototype chain until the property is found. In the following code, we have a clear understanding of the problem.

Suppose the code for JavaScript in the normal script leak.js is as follows:

(function () {
 var arr = ["Secret1", "Secret2", "Secret3"];
 var x = Arr.slice ();
}) ();

As you can see from the code, there are 3 user-related privacy data in the ARR array. Then the ARR instance invokes the slice() method. It is obvious that this method does not exist. Because the ARR instance itself does not create and declare this method, it is also not in the array object. But when a situation like this happens, the program does not complain, it just means that the slice method does not exist. So in this case, it may not be possible for the programmer to know that the ARR instance he created has a method called slice (). The above code is likely to be exploited by attackers.

Here is the code for the malicious site:

<script type= "Text/javascript" >
Array.prototype.slice = function () {
 //send data to attacker
 Sendtoattackbackend (this);
}
</script>
<script type= "Text/javascript" src= "Http://www.good.com/leak.js" ></script>

When a user accesses a Web site that contains malicious code, when JavaScript in the imported Leak.js executes slice the method execution, it invokes the method that the attacker added to the array so that the slice sensitive data is sent to the attacker.

Prevention

When developers are doing web development, it's best to separate the code from the data. Sensitive and important data should be kept in separate files so that the files are not executed by browsers as JavaScript. Access is also required for these static resources, which can be accessed only after the user logs on, in which case the attacker would not be able to access the data even if the static resource was introduced.

Summarize

The above is about dynamic JavaScript caused the harm of all the content, I hope this article can be for everyone's study or work to bring certain help, if there is doubt you can message exchange.