Why injecting javascript code is a bad idea

javascript injection
how to prevent javascript injection
malicious javascript examples
cross site scripting
inject javascript in url
how to inject javascript into a web page
how to prevent script injection in java
malicious javascript github

I have a web project which is developed by asp.net

In my web project, i have a page called as (MainPage). In MainPage according to query string, the last user can see a survey edit form (www.a.com?entity=survey@op=edit) or a parameter insertion form (www.a.com?entity=parameter&op=add) or etc....

The query string examples above are just examples since i encrypt them and actually the last user see some complex words on url

ex: www.a.com?saşlfas571=sflkmlm11sd&13kjn13=1378183

Moreover, in MainPage i m loading a javascript called as MainPageJs and it shows correct js codes according to query string.

I m loading MainPageJs in MainPage.cshtml

@section scripts{

<script type="text/javascript" src="@CustomUrl.CustomAction("MainPageJS", "Home", new { entity= entityName, op = opName })"></script>

}

The below code shows that how MainPageJs works

 ....
 string res = "";
 if (queryString == "parameter")
 {
       res = "var a = 1;";
 }
 if (queryString == "survey")
 {
      res = "var a = 2;";
 }
 if (queryString == "user")
 {
      res = "var a = 3;";
 }

 return JavaScript(res.ToString()); 

Now the thing I wonder is that,

  1. Does my code style have any security problems?
  2. Does my web page have any security vulnerability?
  3. Does this style have a JavaScript code injection vulnerability?

is my code style has any security problem?

no. there is nothig wrong with dynamic code executed on the client. at least from security point of view (you should still control performance of it)

is my web page has security vulnerability?

no. you can't broke anything executing dynamic code on the client. "dynamic" code is executed in the same sandbox with the same privileges as your common js.

is this style has a javascript code injection vulnerability?

Some people use term "JavaScript Injection Attack" - to name side effects of $( userInput ).insertAfter( .. ); - when user can run some javascript from user's input (if userInput contains <script>...</script>) but it is not related to dynamic JS, it is more about dynamic HTML.

Why injecting javascript code is a bad idea, is my code style has any security problem? no. there is nothig wrong with dynamic code executed on the client. at least from security point of  Why @Inject is a Bad Idea and all of them not only help the framework perform injections but also makes the code easier to read. Here's an example: @Inject void init(Foo foo, Bar bar, Some

Does my code style have any security problems?
Does my web page have any security vulnerability?
Does this style have a JavaScript code injection
vulnerability?

It is totally depend on your ASP code implemetation. From your question, I don't see big security issue. However, If you are not familiar with vulnerability or security, I would not recommend the code style.

Here are some reasons.

  1. You opened your URL to public. Even if you encode it, some dodge people will try to hack it. For example, from different URLs, hacker can decode it. I prefer to hide it and don't give them a chance. Also you can use URL as more readable resource for search engine.

  2. If you don't use framework, you might need to implement filter of parameters to prevent Injection attack(SQL, JS). It takes time.

  3. It is hard to maintain the code. As your code is mixed with ASP and JS, it it getting harder when your code is bigger, especially, when you deal with View like HTML with JS in ASP code.

Beautiful JavaScript: Leading Programmers Explain How They Think, your output format of choice (HTML, for example), and some error checking, this If we forget for a second that the templating language contains JavaScript code​, work to its more advanced peer, we can get good results with very little work. The authors of the templates can inject arbitrary code into your program, and  Global variables and function names are an incredibly bad idea. The reason is that every JavaScript file included in the page runs in the same scope. If you have global variables or functions in your code, scripts included after yours that contain the same variable and function names will overwrite your variables/functions.

If you are encrypting client-side, it is possible for the user to actually see what is being sent to the application before it gets encrypted. There are tools to monitor client-side activity (such as YSlow) and a malicious user with technical expertise could use it to detect possible front-end vulnerabilities. Remember to never trust user input, and allowing an user to pass inject code in your app is never a good choice.

How Companies Are Hacked via Malicious Javascript Code?, JavaScript is good for the most part, but it just happens to be so flexible Malicious Code Injection This is very good thing for the security. The point is that's it's easier for me to inject code into your browser. Let's say you're using eval on a query string. If I trick you into clicking a link that goes to that site with my query string attached, I've now executed my code on your machine with full permission from the browser.

Secure Your Node.js Web Application: Keep Attackers Out and Users , cleanFormula + ' is: ' }); The code injection attack's success factor depends on privileges (which I've pointed out previously is a Very Bad Idea), the attacker  As most people well know, all programming languages have their faults. Some have more than others. However, JavaScript is especially bad. That’s why you can find so many complaints about JavaScript on the web. One of the most amazing and distressing things about JavaScript is that it can actually fail silently at

Why Should I Avoid Inline Scripting?, I'm one of those developers who can't put JavaScript code inside HTML. In the same way, you can easily have external JavaScript source code injected into HTML at As for the second - that's not necessarily a bad thing. JavaScript might be a horrible language to work with, but it does have great potential as an environment. Douglas Crockford made a short yet accurate statement in his book JavaScript: The Good Parts (which I highly recommend, it’s an excellent read): JavaScript is built on some very good ideas and a few very bad ones. That sums it up pretty well.

Responsive design, injecting code via Javascript: Is it bad practice , The idea to make a site mobile friendly is excellent, but I don't think your method is best, especially if later you decide to monetize your website  When pure (no side-effect) components of a domain model are injecting and mocking each other, the result is a huge waste of everyone's time, a bloated and fragile codebase, and low confidence in the resulting system. Mock at the system's boundaries, not between arbitrary pieces of the same system.

Comments
  • You might get a better response on codereview.stackexchange.com and/or security.stackexchange.com
  • If you directly insert values from the query string enter the generated code then you have a severe vulnerability. If you are just writing code like in your sample where you statically determine the generated code then you may be safe but there is a better way to write such code.