Let’s discuss some security concerns, while using a jQuery library in the Web Applications.
As you all know, jQuery is a simple, fast and concise form of JavaScript library, which is used to simplify HTML document traversing, animation, event handling etc. Nowadays I see, people suggest or are forced to use jQuery as JavaScript's alternative. Thus, what if I say JavaScript = jQuery? Is it a replacement? Anyway, that’s a separate topic to be discussed.
How often do you use jQuery in your Applications? Let’s say you need an image slideshow kind of feature in your Web site. This can be easily achieved by freely available jQuery plugins or the libraries. Just find the source code of the examples, use it the same way and its done. Your slideshow is ready, easy and fast. Did you ever spend time to investigate what code is written inside the library? No, who cares.
Note: I am not against jQuery, but let the concerns, given below, help everyone to think twice before using jQuery.
Let’s look into some important points, before using jQuery,
- Check the jQuery libraries before using
Open, read it and check if any unwanted code is written or not. I agree, it’s difficult to read the entire code. jQuery becomes a good place to hide the malicious code. Few things we can take care of are:
- Check the library version, is it the latest or not?
- JQuery comes in two versions,
- The compressed or the minified or the production version
- The uncompressed or the development version.
For safe bandwidth, always use the minified version on the production.
- The external links are used in the code. Here is a recent hack.
- Check the file size, if the size is big, it seems like something is fishy in the code.
- Check for any performance issue, by using freely available tools like IE Developer Tools, Fiddler, Firebug etc.
- Also, go through the library documentations available, which have more information about the Browser compatibility, cross-browsing etc.
- Check for any document.write used. If it is yes, dive deep into the code. I am sure that more external links are hidden that will execute during the runtime.
- Source code is difficult to protect
Yes, your jQuery script can be easily accessible or downloadable by any user. It’s difficult to protect the code logic written and very much exposed to the hackers. Just right click > view source to get the jQuery link and paste into the Browser. There are ways to obfuscate or try to remove the references dynamically etc. but these require extensive Browser compatibility testing and successes are very few.
Note: Never put any user authentication related information in jQuery or JavaScript, like the user name and the password validations. Always place it on the Server side.
- Prevent Cross-site Scripting and jQuery Injection attacks
How to avoid or prevent Cross-site Scripting and jQuery Injection attacks?
- Check for any unwanted redirection, like Window.location, location.href etc.
- Check for any document.cookie used and stored.
- Check for any iframe syntax or the attributes used.
- Validate JSON results or the responses and always parse, using the native DOM methods.
- Use .text() method instead of .HTML().
- Always encode HTML characters.
- Use HTML purifiers at both Client and Server side coding.
- Put all your scripts at the bottom of your page
As a best practice to include all your scripts at the bottom of the page, you can avoid unwanted document.ready, that calls when every page loads.
- Do we need CDNs?
Content Delivery Networks are the Servers where the latest jQuery libraries are hosted like Google etc. If your Website is publicly hosted , it would be good if you directly choose the library versions from available CDN’s. CDN helps to access or download the files parallel to the files downloaded from your own Website and will be cached the first time. Thus, every time the users get a cached version or the latest version of the library it also reduces traffic on your Website.
Sometimes these CDN hosted files are not good for our Websites. Consider a situation, where your security or testing team approves your library for the production and your library went for the production. After a few days, your site stops functioning or got hacked due to some new changes that happened (that can be good or bad) on CDN hosted library. A security breach happened. How will this impact your site? You can’t even make any changes on the new live library. If the library was downloaded and saved on your hosted site Server, the risk won't impact your web site.
There are other issues like performances due to slow CDN Servers, even non-availability of the Servers etc. Thus, before using CDNs, consult with your security team.
Conclusion
There are lots of other security concerns, like Cross-site request forgeries (CSRF or XSRF), Broken access control, etc. so make sure the jQuery library is well studied before using.
I just tried to pinpoint some basic issues before using jQuery, so do more research on jQuery libraries before using.