What is it?

Javascript injection is a commonly ignored security issue. Basically it is the idea that you can execute javascript in your address bar, or one of the numerous plugins that accompany web browsers such as greasemonkey, to change the DOM in any way you wish. So whats the big deal? Well the bottom line is that there really shouldn’t be a big deal. This should not affect your web application in any way if you develop it right. However, there is alot of problems if you don’t understand the weakness.

A Scenario

I recently was working with a e-commerce form. The form had alot of hidden inputs and one of them being “price”. The issue with this is the fact that it is very easy to change
anything in the DOM. For instance, lets say you are a user that is using the ecommerce form to purchase something. You see in the code that you have:

Code block

<form method='post' action='process.php'>
<input type='hidden' name='price' id='price' />
<input type='submit' value='Buy' />
<form>

Assuming (of course) there is more fields in this form; the most interesting one – as a hacker – would be the “price” field. This indicates that the processing script depends on the html field (which is coming from the client) to process the price. So we (the hacker) now have a way to change this. Simply type:

Code block

javascript: document.getElementById('price').value = .01

The Ramifications

The ramifications for a developer is that you must take care to only receive data from the client that you absolutely need from the client. There is a lot of data that should be managed by sessions or database and not be sent to the client as this could be easily be modified by anyone.