Holding password in javascript variable - security implications

De openkb
Aller à : Navigation, rechercher

Sommaire

Questions

Does holding a user s password in a javascript variable in the browser expose any specific security vulnerabilities, over and above the usual security vulnerabilities of a browser-based client?

http://jsfiddle.net/jS55M/ http://jsfiddle.net/jS55M/ 

<label for="password">Password</label>
<input type="password" id="password"/><br/><br/>
<button type="button" id="pwdButton">Store password in window.password</button>

<script>
    function getContentsOfPasswordField() {
        return jQuery("input#password").val();
    }

    jQuery("button#pwdButton").on("click", function() {
        window.password = getContentsOfPasswordField();
        alert(" " + password + "  stored in global var window.password")
    });
</script>

In this example the password variable is global and persists for the lifetime of the page, just to make it as open-to-attack as possible and give the worst-case scenario. Perhaps limiting the scope/lifetime of the variable can shield it from certain classes of attacks?

http://www.symantec.com/connect/blogs/getting-sassy-xss-part-1-keystroke-logging http://www.symantec.com/connect/blogs/getting-sassy-xss-part-1-keystroke-logging

Please note the point of the question is not really whether or not doing this is a bad practice, this is more of a fundamental question about client-side web app security :)

Answers

Leaving the password in a variable leaves it open to people to access simply in their browser tools! lets say the function called when the store password button is pressed, stores the password in a variable called password. Even if this variable is not used on the page at all after that, simply handled later on somewhere in the code, all one has to do is open up the developer tools in their browser, add in a statement like alert(password); , and Bam, the password literally pops up infront of them.

Admitedly, any code simple enough to let someone do that is probably unworthy of being on the web, and even less worthy of being meddled with, but I guess it s a lesson in how vunerable we really are.

Source

License : cc by-sa 3.0

http://stackoverflow.com/questions/18153635/holding-password-in-javascript-variable-security-implications

Related

Récupérée de « http://openkb.fr/index.php?title=Holding_password_in_javascript_variable_-_security_implications&oldid=11226 »
Outils personnels
Espaces de noms

Variantes
Actions
Navigation
Outils