Preventing javascript injection from navigation bar

I was playing with cookies and things until I noticed a website that says you can easily set a cookie through the navigation bar with one simple code;

javascript: document.cookie="SESSID=IDOFSESSIONHERE;path=/"

by doing this I can login to one computer, copy cookie data to another computer and set the same cookie through this code, after the update I was logged in with the same user.

(just on a simple webpage i did myselve)

this seems like a security issue to me, I mean of course they need to get the cookie data first, but without that, I think you could do a lot of damage with javascript:

from cookies.

Is there a way to prevent javascript:

the navigation bar from being used ?


source to share

4 answers

User is a security issue, not Javascript. The user gave you the session ID - i.e. Do you share your keys / passwords with others? If you do what a website can do? Send blioke around to constantly watch your stunt.



You cannot disable JavaScript in the navigation bar. I could visit your site and use the Internet Explorer Debug Tool, Chrome Debug Tool, or FireBug to run JavaScript code on your page.

Since JavaScript runs on the visitor's local computer, you have no control over it. Only the visitor controls which cookies are stored in the browser.

What you need to do is perform server side security measurements. But yes, all session cookie dependent authentication processes will have the security issue you explain.



Javascript is only excluded client side (exception is nodejs). Therefore, the server cannot do harm.



Javascript runs in the user's browser. We do not control it.

What you can do is obfuscate or hash variable names and/or values


See here



All Articles