search

getsentry / sentry-javascript

Official Sentry SDKs for JavaScript
https://sentry.io
MIT License
7.76k stars 1.52k forks source link

[security issue] Detect if source code is manipulated in the browser #12411

Open smeubank opened 1 month ago

smeubank commented 1 month ago

Problem Statement

It is possible via dev tools to manipulate a webiste's source code, and run your own JS potentially attempting nefarious acts. Without the websites maintainer realizing that somechange has been forced on their frontend.

Solution Brainstorm

Could Sentry running in the browser detect when something like this occurs?

Could Sentry detect leaked server code?

Related reddit thread

https://www.reddit.com/r/reactjs/comments/1d25n54/comment/l63esjy/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

AbhiPrasad commented 1 month ago

There are JS security products that attempt to detect if built-ins like setTimeout have been tampered with. We can do that too (if someone is trying to monkeypatch your sdk code).

Could Sentry detect leaked server code?

Maybe by static analysis? And confirming it via production code being run? We'll need profiling data though.