From the Web to Windows 8:javascript security

Years ago, I thought it was a good idea to learn how to play golf. I have never been to a golf club before registering for some local driving training courses. In my first class, the teacher asked me if I had studied similar courses or played golf. I told him no when he said: "Very well!" We will not have to worry about some old habits that hinder your progress. ”

WEB developers will follow some of the inherent habits when transitioning from a browser to a Windows application store application. Although WEB developers can take advantage of existing JavaScript knowledge, they need to change the way they think because of new features. Security is one of those fundamentally different features. Many WEB developers are accustomed to handing the security of an application to a server implementation, and they give the following reasons: "Why bother?" We can easily bypass JavaScript. "On the Web client, security features are viewed only as a way to increase availability and not to enhance the overall security of the Web application."

Using Windows 8,javascript plays an important role in ensuring the overall security of your application by providing the tools needed to protect data, validate input, and separate potentially malicious content. In this article, I'll show you how to change some of the habits that you develop during WEB development to build a more secure Windows Store application using HTML5, JavaScript, and Windows Runtime security features.

Input validation

Web developers say: JavaScript validation is only used to improve performance, not to enhance application security.

Windows 8 developers say that using HTML5 and JavaScript for validation is your first line of defense against malicious content entering your application.

For traditional WEB applications, JavaScript is usually just a gateway to the server. All important operations on the data, such as input validation and storage, are performed on the server. A malicious attacker could disable JavaScript or submit a specially crafted HTTP request to bypass all client-side protection on their own browsers. In the Windows store application, developers cannot rely on the server to clean up user input before manipulating data because there is no server. You can only rely on JavaScript and HTML5 for input validation.

In software security, input validation is an important aspect of ensuring data integrity. Without it, an attacker could use each input field as an attack vector that might attack a Windows application store application. In the second edition of Writing Secure Code (Microsoft Press, 2003), author Michael Howard and Steve Lipner said: "All input is not credible until proven," which has become a famous quote on management input.

You should not trust any data until it conforms to the specification of "known useful" data. When building an application, the developer knows what data from a particular field should look like (that is, a allow list), or at least know what it should not contain (that is, a deny list). When making input validation, always use the Allow list whenever possible to limit the input to known useful data. By allowing only known-good data, you can reduce the likelihood of a lack of new or unknown ways of expressing incorrect data.

restriction, refusal and purification

How can a developer reduce the risk to the user by limiting the input to known useful data? They use the three input validation phases shown in Figure 1 to reduce the risk of malicious content entering their applications.

Figure 1 Input validation (image based on the 4th chapter, "Improving Web Application Security: Threats and Countermeasures", figure 4.4, "The Design Guide for secure Web Applications", Web site: bit.ly/emyi5a)