[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
| I've just been mailing my online supermarket about a problem | I have had with their site. While attempting to discover what | is going on I've discovered that I can read their | Javascript code. | Does this constitute a breach of security on my part? And, | what is more important, is this a security failure on | their part? | Comments anyone? Javascript is typically used for form validation (and pretty effects) on sites such as the one you describe; this does not pose a security risk in itself although if the server-side program handling requests was poorly implemented it may be possible to glean information from the Javascript code which could assist an attacker in some kind of exploit if they were particularly lucky and tenacious. It is the nature of Javascript that it cannot be hidden, embedded as it is in markup, but certain practices such as referencing functions in an external .js file which is, itself, highly obfuscated may deter opportunists. Obviously, it would not be a good idea to rely on such a procedure. Personally, I prefer sticking functions into a .js file rather than the head of the page because it makes it easier to manage if your project gets quite large, allowing code reuse and such. Even if you are not a Javascript whizz you should be able to spot the difference between a document formatting script and something sinister. Take nothing for granted - I cannot name names but I have recently come into contact with some *very* stupid procedures in an online ordering system that would lead you to question the very nature of humanity. I would assume, however, that a large supermarket has too much loss of PR at stake to be taking any sort of risk. A hint as to who the site in question may be or a look at the functions would enable further comment. If in doubt, however, I would suggest a bus trip into town rather than risking your credit card info ;) MB -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.