9

We are going to design and implement a UI for a big website. Owner of the site is really cautious about security issues. I wonder if there is a check list for security issues at the client-side ,while designing and coding in Javascript.

AviD
  • 72,138
  • 22
  • 136
  • 218
saeed
  • 193
  • 1
  • 5
  • 2
    What is the client protecting? What data is available via the website? What identification and authentication are you using, if any? – this.josh Jul 18 '11 at 19:26

2 Answers2

11

There will never be a single perfect checklist, but here's a few things worth going through:

  • Wikipedia doesn't do half bad on this one

  • More for AJAX or other rich interfaces, but worth a read depending on your architecture - OWASP

  • This seems worth a test drive - haven't tried it myself - Javascript sandbox

Yes, none of these is a true "checklist" - IMO what you need to look for in Javascript vulnerabilities has a lot to do with how you are using it and what the rest of your architecture looks like - so I'm not sure a checklist will really cover the real concerns. It may be better to go through a risk analysis first, and then see how that translates into how you use the various web technologies as a collective.

bethlakshmi
  • 11,606
  • 1
  • 27
  • 58
  • 1
    An additional step of value would be to perform validation of the developed environment. This could be performed in-house by an off-the-shelf application vulnerability scanner or by an independent third party. This should be done before the site goes live in production. – lew Jul 19 '11 at 05:00
  • @lour - great point! Thank you! Didn't even think of that (smacks self in head). – bethlakshmi Jul 20 '11 at 14:06
  • @ lour- what do you mean by developed environment? – saeed Jul 24 '11 at 07:17
  • @saeed, the validation should occur after development has finished. There is little value validating the product /before/ development has finished, as it is still subject to change. – lew Jul 27 '11 at 02:28
  • 1
    "OWASP JavaScript Sandboxes is a Javascript sandbox which converts code using regular expressions." - hmmm. – shabunc Aug 22 '11 at 16:11
3

To properly secure a web application, you need to have a good idea of how browsers and servers work. Javascript is only the tip of the iceberg.

For an introductory (but thorough) review of web application security, I recommend Michal Zalewski's The Tangled Web. The book comes with checklists (called "security engineering cheat sheets") at the end of each chapter.

cberzan
  • 183
  • 5