JavaScripts to Enhance Website Security

balaji
By balaji

December 21, 2010

Nowadays, JavaScript is extensively used to enhance user experience. However, the use of JavaScript to enhance website security is not quite popular. A few JavaScripts that can enhance website security without causing too much inconvenience to web users are as follows:

js-website-security.jpg

Nowadays, JavaScript is extensively used to enhance user experience. However, the use of JavaScript to enhance website security is not quite popular. A few JavaScripts that can enhance website security without causing too much inconvenience to web users are as follows:

  1. Frame-busting JavaScript
  2. JavaScript to disable the Back button
  3. JavaScript to prevent DOM-based XSS

Frame-busting JavaScript

Clickjacking is a popular attack, using which an attacker can make legitimate users click on buttons on a legitimate site without actually knowing that they clicked on that button. In this attack, a legitimate site is embedded into an attacker's website using the IFRAME tag. The embedded website is made transparent and is placed in such a way that the buttons and forms on the attacker's site are exactly below the legitimate sites' buttons and forms.

The attack works because the legitimate site allows itself to be embedded into any site. So the solution is simple - do not allow other sites to embed your site. A very popular JavaScript that is used to bust frames is:

<script type="text/javascript">
if (top.location != location)
top.location = self.location;
</script>

The above script and its popular cousins were found be ineffective in many scenarios in a study conducted by the Stanford University and the Carnegie Mellon University. The results of their study was published in a paper titled "Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites". According to this paper, a more secure version of the script is as follows:

<style> html{display : none ; } </style>
<script>
if( self == top )
{
document.documentElement.style.display = 'block';
}
else
{
top.location = self.location;
}
</script>

This script will load a blank page if JavaScript is disabled and will bust the frame if the page is framed. If the page is not framed it will display the page correctly.

JavaScript to disable the Back button

Have you ever noticed that using the Back button on a page after logout, displays pages that would otherwise have been accessible only after you submit your login credentials? Some applications can prevent this; however, they may be vulnerable to the Back–Refresh Attack wherein a combination of the Back and Refresh button on the browser may help an attacker to steal your password.

One way of preventing this attack is to disable the use of the Back feature on the browser. The following script on every sensitive page will do the trick.

document.location.history.foward() 

This script ensures that you don't reach the previous page when you use the back button by moving the page forward by one page.

JavaScript to prevent DOM-based XSS

DOM-based XSS is the only type of XSS, which can be prevented by using client-side JavaScript. If you are new to DOM-based XSS, read this article by Amit Klein.

Just like other XSS vulnerabilities, a fix for DOM-based XSS is the same – ensure that meta tags such as < and > are not allowed. An example from Amit Klein's article that can help prevent DOM-based XSS is given below:

<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
var name=document.URL.substring(pos,document.URL.length);
if (name.match(/^[a-zA-Z0-9]$/))
{
document.write(name);
}
else
{
window.alert("Security error");
}
</SCRIPT>

This ensures that the string written to the HTML page consists of only alphanumeric characters.

None of the above are foolproof; however, they do offer a reasonable level of security for the website. In my next article, we would look at some of these implementations in detail and provide suggestions on how best to implement them.

References:


Tags: Technical

About

balaji