D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

RE: [LUG] Supermarket Security



|       I've just been mailing my online supermarket about a problem
|       I have had with their site. While attempting to discover what
|       is going on I've discovered that I can read their 
|       Javascript code.
|       Does this constitute a breach of security on my part? And,
|       what is more important, is this a security failure on 
|       their part?
|       Comments anyone?


Javascript is typically used for form validation (and pretty effects) on
sites such as the one you describe; this does not pose a security risk
in itself although if the server-side program handling requests was
poorly implemented it may be possible to glean information from the
Javascript code which could assist an attacker in some kind of exploit
if they were particularly lucky and tenacious.

It is the nature of Javascript that it cannot be hidden, embedded as it
is in markup, but certain practices such as referencing functions in an
external .js file which is, itself, highly obfuscated may deter
opportunists.  Obviously, it would not be a good idea to rely on such a
procedure.

Personally, I prefer sticking functions into a .js file rather than the
head of the page because it makes it easier to manage if your project
gets quite large, allowing code reuse and such.

Even if you are not a Javascript whizz you should be able to spot the
difference between a document formatting script and something sinister.

Take nothing for granted - I cannot name names but I have recently come
into contact with some *very* stupid procedures in an online ordering
system that would lead you to question the very nature of humanity.  I
would assume, however, that a large supermarket has too much loss of PR
at stake to be taking any sort of risk.

A hint as to who the site in question may be or a look at the functions
would enable further comment.  If in doubt, however, I would suggest a
bus trip into town rather than risking your credit card info ;)

MB

--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly