analysing flow of a javascript application

[pantagruel]

Hi,

My work is putting in a large application that is basically split up
between 30 or so Javascript files. I have some security concerns about
this application.

Basic security concerns is:

1. Possible SQL injection and other forms of injection attacks on URLS
of various server side components javascript accesses.

2. possible client side database access.

3. Incorrect use of http get for operations with possible side effects.



The security problems are probably relatively harmless. Mainly because
the application should be running behind firewall.

However I would like to have an analysis tool that can go over the
javascript code and allow me to see what urls are being called with
what parameters.

Javascript that writes new javascript into page (so I can get all
javascript files of application for analysis)

I know there are various javascript profilers and the like, anything
out there that helps in the analysis of this kind of application?

 

[petermichaux]

Hi,

My work is putting in a large application that is basically split up
between 30 or so Javascript files. I have some security concerns about
this application.

Basic security concerns is:

1. Possible SQL injection and other forms of injection attacks on URLS
of various server side components javascript accesses.

2. possible client side database access.

3. Incorrect use of http get for operations with possible side effects.

The security problems are probably relatively harmless. Mainly because
the application should be running behind firewall.

There may be things you can do to improve the javascript but there is
nothing realistic you can do to stop the kind of security problems that
come from client requests. You have to do _all_ verification on the
server-side even if you do some before the request with JavaScrpt on
the client-side.

However I would like to have an analysis tool that can go over the
javascript code and allow me to see what urls are being called with
what parameters.

find in a text editor?

 

[Ira Baxter]

Hi,

My work is putting in a large application that is basically split up
between 30 or so Javascript files. I have some security concerns about
this application.

However I would like to have an analysis tool that can go over the
javascript code and allow me to see what urls are being called with
what parameters.

I know there are various javascript profilers and the like, anything
out there that helps in the analysis of this kind of application?

To do this with a tool, you need something that parses JavaScript
and makes the parsed result available for such analysis.

While it doesn't do what you want out of the box, you could
build such an analysis tool using the DMS Software Reengineering
Toolkit, which does have a JavaScript front end parser.
For more details see
http://www.semanticdesigns.com/Products/DMS/DMSToolkit.html

 

[Bruce Wisentaner]

There may be things you can do to improve the javascript but there is
nothing realistic you can do to stop the kind of security problems that
come from client requests. You have to do _all_ verification on the
server-side even if you do some before the request with JavaScrpt on
the client-side.



find in a text editor?

You cannot trust Javascript to enforce security policies, since it
ultimately runs under control of client.
My guiding philosophy:
Use Javascript and client-side validation to protect the client from
himself.
Use server-side validation code to protect the server from the client.
If that makes for redundant validation, so what!?

---Bruce Wisentaner