{"id":636,"date":"2021-05-19T18:13:08","date_gmt":"2021-05-19T23:13:08","guid":{"rendered":"https:\/\/www.becomebetterprogrammer.com\/?p=636"},"modified":"2022-04-25T09:44:42","modified_gmt":"2022-04-25T14:44:42","slug":"is-javascript-client-side-secure-what-are-the-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/is-javascript-client-side-secure-what-are-the-vulnerabilities\/","title":{"rendered":"Is JavaScript Client-Side Secure? What Are The Vulnerabilities?"},"content":{"rendered":"\n<p>Software Development has evolved dramatically over the last 10+ years. Prior to the development of Frontend JavaScript frameworks, multiple projects relied on the backend, including its security. With more advances on the client-side, the level of responsibility has increased equally on both ends. However, is the JavaScript Client-Side Secure?<\/p>\n\n\n\n<p>In short, <strong>JavaScript client-side applications are not 100% safe. The main reason is that<\/strong><strong> there is no full control of the client-side as it is executed in the browser. Those with advanced skills can have access to critical information on the frontend and expose vulnerabilities. <\/strong><\/p>\n\n\n\n<p> Although it is not possible to achieve 100% protection, some applications are more secure than others. The main reason is that the security is dependent on the developer&#8217;s expertise in security. Therefore, if the developer is experienced and constantly introducing best practices to make an application more secure on the client side, the likelihood of suffering from attacks will be reduced.<\/p>\n\n\n\n<p>On the other hand, if developers lack the knowledge and skills to prevent vulnerabilities, the possibilities of having a hackable frontend system increase exponentially. It is important to understand how software development works and have a basic understanding of the risks involved not only on the client-side but also on the server-side. <\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/is-javascript-client-side-secure-what-are-the-vulnerabilities\/#What_Is_A_JavaScript_Vulnerability\" >What Is A JavaScript Vulnerability?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/is-javascript-client-side-secure-what-are-the-vulnerabilities\/#What_Are_Some_JavaScript_Client-Side_Vulnerabilities_Examples\" >What Are Some JavaScript Client-Side Vulnerabilities Examples?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/is-javascript-client-side-secure-what-are-the-vulnerabilities\/#How_Do_You_Make_the_Client-Side_Safer\" >How Do You Make the Client-Side Safer?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/is-javascript-client-side-secure-what-are-the-vulnerabilities\/#JavaScript_Obfuscation\" >JavaScript Obfuscation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/is-javascript-client-side-secure-what-are-the-vulnerabilities\/#JavaScript_Minification\" >JavaScript Minification<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/is-javascript-client-side-secure-what-are-the-vulnerabilities\/#Secure_Frontend_Can_Still_Be_Vulnerable_To_Attacks\" >Secure Frontend Can Still Be Vulnerable To Attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/is-javascript-client-side-secure-what-are-the-vulnerabilities\/#Is_The_Server-Side_More_Secure_Than_The_Client-Side\" >Is The Server-Side More Secure Than The Client-Side?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/is-javascript-client-side-secure-what-are-the-vulnerabilities\/#Should_I_Worry_About_Making_The_Client-Side_Safer_If_The_Server-Side_is_Already_Secure\" >Should I Worry About Making The Client-Side Safer If The Server-Side is Already Secure?<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Is_A_JavaScript_Vulnerability\"><\/span>What Is A JavaScript Vulnerability?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Regardless of whether it is JavaScript, Python, C#, Ruby on Rails, or any other programming language, <strong>a vulnerability is<\/strong> <strong>the state of an application being exposed to attacks that could lead to harmful consequences such as unauthorized access,  stolen data, or complete deletion of data. <\/strong> <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Are_Some_JavaScript_Client-Side_Vulnerabilities_Examples\"><\/span>What Are Some JavaScript Client-Side Vulnerabilities Examples?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Some of the most common client side vulnerabilities are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>SQL or NoSQL Injection <\/li><li>Security Misconfiguration<\/li><li>Broken Access Control<\/li><li>Cross Site Scripting (XSS)<\/li><li>Cross Site Request Forgery (CSRF)<\/li><li>Using Third-Party Libraries and\/or Components with Existing Vulnerabilities<\/li><li>Bad Deserialization Practices<\/li><li>Sensitive Data Exposure<\/li><li>XML External Entities (XXE) Injection<\/li><\/ul>\n\n\n\n<p>For an in depth explanation on any of these vulnerabilities, I recommend visiting <a href=\"https:\/\/owasp.org\/www-project-top-ten\/\" target=\"_blank\" rel=\"noreferrer noopener\">this article<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_Do_You_Make_the_Client-Side_Safer\"><\/span>How Do You Make the Client-Side Safer? <span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>There are several techniques you can use to make your client-side more secure. One of the most popular is <strong>Obfuscation<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"JavaScript_Obfuscation\"><\/span>JavaScript Obfuscation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>Obfuscation is the process of transforming your code which makes it hard for people to read and understand<\/strong>. For example, we have a simple JavaScript code below:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"language-javascript\">function buyFood() {\n  console.log(\"Food purchased!\");\n}\nbuyFood();<\/code><\/pre>\n\n\n\n<p>If we decide to make changes on the code to make it virtually impossible to read, we could do something like this:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre><code class=\"language-javascript\"> var _0x458b=['538646gopomJ','25BqksCQ','Food\\x20purchased!','1mUfMcU','2391QzfyJC','241qJuyFw','202607eXJeSc','5417sdkWwj','767678sNJrpT','824751UwpeHE','747317UIaClF'];var _0x9cfe=function(_0x1a0bc5,_0x3f02bc){_0x1a0bc5=_0x1a0bc5-0x111;var _0x458b51=_0x458b[_0x1a0bc5];return _0x458b51;};(function(_0x3a5071,_0x3e25e5){var _0x1c8a8b=_0x9cfe;while(!![]){try{var _0x1e67de=parseInt(_0x1c8a8b(0x117))+-parseInt(_0x1c8a8b(0x119))+-parseInt(_0x1c8a8b(0x116))*-parseInt(_0x1c8a8b(0x115))+-parseInt(_0x1c8a8b(0x118))*parseInt(_0x1c8a8b(0x112))+parseInt(_0x1c8a8b(0x111))+-parseInt(_0x1c8a8b(0x11a))*-parseInt(_0x1c8a8b(0x114))+-parseInt(_0x1c8a8b(0x11b));if(_0x1e67de===_0x3e25e5)break;else _0x3a5071['push'](_0x3a5071['shift']());}catch(_0x5b1b4b){_0x3a5071['push'](_0x3a5071['shift']());}}}(_0x458b,0x78127));function buyFood(){var _0x5333e2=_0x9cfe;console['log'](_0x5333e2(0x113));}buyFood();<\/code><\/pre><\/div>\n\n\n\n<p>However, putting in practice Obfuscation can be complex for developers to implement as it will slow down the development process due to the fact that it takes longer to write code that only machines can easily understand. Fortunately, there are tools available that will simplify this process such as this <a href=\"https:\/\/obfuscator.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">JavaScript Obfuscator Tool<\/a>. Give it a try!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"JavaScript_Minification\"><\/span>JavaScript Minification<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>Minification or to minify is the process of removing extra spaces, new lines, or any other unnecessary characters from the code source without impacting the coding process. This could also involve converting variable names and\/or function names allowing to reduce the code size and making applications lighter as well as optimizing conditional statements and removing comments among others<\/strong>. Besides minifying JavaScript files, you can also reduce the size of HTML and CSS files.<\/p>\n\n\n\n<p>Minification is a commonly established practice within the software development industry, and it happens when the prod or production version of an application is built allowing the codebase to be lighter. This allows the users to use fewer data resources at the moment of using the software, .i.e., web or mobile applications.<\/p>\n\n\n\n<p>Besides reducing files&#8217; sizes, minification also gives the client-side application an extra level of security. Let&#8217;s understand with an example. Do you remember our previous snippet of code where we defined the <strong><span class=\"has-inline-color has-black-color\"><code>buyFood<\/code> <\/span><\/strong>function? If we decide to minify this code, it will look like the following:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre><code class=\"language-javascript\">function b(){console.log(\"Food purchased!\");}b();<\/code><\/pre><\/div>\n\n\n\n<p>If you notice, the <span class=\"has-inline-color has-black-color\"><strong><code>buyFood<\/code> <\/strong><\/span>function is now called <code><strong><span class=\"has-inline-color has-black-color\">b<\/span><\/strong><\/code>. Also, all the spaces and new lines have been removed. In this case, the piece of code we wrote is not complex and certainly you could have a good guess of what our code does. However, this is not usually the case of real-world projects as they tend to have more code logic and complexity. If an attacker decides to &#8220;read&#8221; through the logic of a minified version of code, it will take him a lot of time before he can understand what the code does.<\/p>\n\n\n\n<p>There are free tools available to minify your code such as <a href=\"https:\/\/www.minifier.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Minify<\/a> or <a href=\"https:\/\/javascript-minifier.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">JavaScript Minifier<\/a> if you are looking to manually reduce your code size. To avoid manual work, you can also use popular third-party libraries such as <a href=\"https:\/\/github.com\/mishoo\/UglifyJS\" target=\"_blank\" rel=\"noreferrer noopener\">uglify<\/a>, <a href=\"https:\/\/terser.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">terser<\/a>, or <a href=\"http:\/\/coderaiser.github.io\/minify\/\" target=\"_blank\" rel=\"noreferrer noopener\">minify<\/a> to automate this process.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Secure_Frontend_Can_Still_Be_Vulnerable_To_Attacks\"><\/span>Secure Frontend Can Still Be Vulnerable To Attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Even if you did an excellent job at obfuscating and minifying your client-side code base, your front end is still vulnerable to attacks. Since you cannot control what the client does in the browser, hackers can manipulate files at their will. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Is_The_Server-Side_More_Secure_Than_The_Client-Side\"><\/span>Is The Server-Side More Secure Than The Client-Side?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Even though you can attempt to make the client-side as secure as possible, the server-side is safer. Having said that, this doesn&#8217;t mean you can avoid implementing best practices to prevent your application from being exploited on the server-side. Nevertheless, the server-side allows developers to gain control of, .i.e. their API (Application Programming Interface).<\/p>\n\n\n\n<p>In fact, stricter security measurements must be taken into account prior to deploying and exposing the server-side as sensitive data or logic manipulating the data resides there and any failure to protect the server can lead to catastrophic outcomes such as data thief or complete deletion of the database.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Should_I_Worry_About_Making_The_Client-Side_Safer_If_The_Server-Side_is_Already_Secure\"><\/span>Should I Worry About Making The Client-Side Safer If The Server-Side is Already Secure?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>In the case a system is dependent on both, a backend and a frontend, or a server-side and a client-side, it is important to still give the same level of security to the two. Failure to do so can represent a huge impact on a business. One common scenario where many Junior developers fail is to properly ensure validation of the data. For example, our application has a login page, which contains a form with two input boxes, one for the username and the other for the password.<\/p>\n\n\n\n<p>It has become standard to provide error messages on any of this information prior to submitting the login form, or in other words, making a request to an API to authenticate the user. But what do you think would happen if the password input box displays in plain-text the password of the user as he is typing, instead of hiding the password which happens whenever the attribute <strong><span class=\"has-inline-color has-black-color\"><code>type<\/code> <\/span><\/strong>is set as <code><strong><span class=\"has-inline-color has-black-color\">password<\/span><\/strong><\/code>? Certainly, anyone walking nearby could see the user&#8217;s password representing in a user-theft vulnerability.<\/p>\n\n\n\n<p>But that is one case. Can you think of the scenario where someone else has hacked the user&#8217;s computer and the hacker is recording everything the user does on the computer? Due to a failure in the development on the client-side, we allowed hackers to get more sensitive information from the user.<\/p>\n\n\n\n<p>Now, let&#8217;s think of the scenario where the client-side is secure, but the server-side lacks security.  For example, our API has a GET endpoint called <code><strong>\/car<\/strong><\/code> and it receives an <span class=\"has-inline-color has-black-color\"><strong><code>id<\/code> <\/strong><\/span>query parameter to get a specific car record. The <code><strong>id<\/strong><\/code>&#8216;s data type is a number. Unfortunately, the API doesn&#8217;t validate the <strong><code>id<\/code> <\/strong>parameter and also doesn&#8217;t parameterize its value, but instead, it directly concatenates the <code><strong>id<\/strong><\/code> value in the following SQL script. For the purpose of this example, we are going to say that the <strong><code>id<\/code> <\/strong>value is <strong>1<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre><code class=\"language-sql\">SELECT * FROM Cars\nWHERE CAR_ID = \t1<\/code> <\/pre><\/div>\n\n\n\n<p>Here, it doesn&#8217;t seem to be a major risk. However, someone with basic SQL knowledge will know this is a case of SQL injection. Let&#8217;s change the value of <code><strong>id<\/strong><\/code> to <code><strong>1 or CAR_ID != 1<\/strong><\/code>, making our SQL script look like the following:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre><code class=\"language-sql\">SELECT * FROM Cars\nWHERE CAR_ID = \t1 or CAR_ID != 1<\/code><\/pre><\/div>\n\n\n\n<p>Now, our query will return all of the car records, and if the user is not supposed to have access to cars he didn&#8217;t create then a hacker will now have full access to the list of cars available in the database. <\/p>\n\n\n\n<p>Therefore, making the assumption that making one side (the server-side or the client-side) more secure than the other is not a good justification to make the other end less secure. As software development security practices evolve, hacking practices do the same. There are smart people out there with malicious intentions who always come up with innovative ways to break into a system. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Software Development has evolved dramatically over the last 10+ years. Prior to the development of Frontend JavaScript frameworks, multiple projects relied on the backend, including its security. With more advances on the client-side, the level of responsibility has increased equally on both ends. However, is the JavaScript Client-Side Secure? In short, JavaScript client-side applications are &#8230; <a title=\"Is JavaScript Client-Side Secure? What Are The Vulnerabilities?\" class=\"read-more\" href=\"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/is-javascript-client-side-secure-what-are-the-vulnerabilities\/\" aria-label=\"More on Is JavaScript Client-Side Secure? What Are The Vulnerabilities?\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":638,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[16,12],"tags":[],"class_list":["post-636","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-javascript","category-programmers-knowledge","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/wp-json\/wp\/v2\/posts\/636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/wp-json\/wp\/v2\/comments?post=636"}],"version-history":[{"count":3,"href":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/wp-json\/wp\/v2\/posts\/636\/revisions"}],"predecessor-version":[{"id":2518,"href":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/wp-json\/wp\/v2\/posts\/636\/revisions\/2518"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/wp-json\/wp\/v2\/media\/638"}],"wp:attachment":[{"href":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/wp-json\/wp\/v2\/media?parent=636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/wp-json\/wp\/v2\/categories?post=636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.becomebetterprogrammer.com\/staging\/4563\/wp-json\/wp\/v2\/tags?post=636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}