Closed jwalantdesai closed 9 years ago
walterdavis
commented
9 years ago Uh, it's JavaScript. It runs in a browser. It is inherently insecure. Your server endpoints need to be hardened against attacks from this and any other vector. There is nothing that will protect you in JavaScript from the user, because they own the code.
savetheclocktower
commented
9 years ago One of the calls to eval is part of JSON parsing and is a standard fallback you'd find even in Crockford's json2.js. The other one will only get called on same-domain Ajax requests.
As for the Math.random call: that's in Sizzle, so you'll have to complain to them. (Not sure what's insecure about it in that context, either.)
jwalantdesai
commented
9 years ago There are technique of same origin verification that will verify Ajax request from same user session and origin
There are token generating technique s which help manage and identify the same token and session So even it is open source the same token generation is not possible How come you accept argument without validating in methods
Thanking yiu
On Tuesday, April 14, 2015, Walter Lee Davis notifications@github.com wrote:
Uh, it's JavaScript. It runs in a browser. It is inherently insecure. Your server endpoints need to be hardened against attacks from this and any other vector. There is nothing that will protect you in JavaScript from the user, because they own the code.
— Reply to this email directly or view it on GitHub https://github.com/sstephenson/prototype/issues/291#issuecomment-93130486 .
The input validation and representation issue on this line 1861. On 744 accept unvalidated user input. On line 6004 Insecure randomness function. as per fortify 4.2 there are lots other issues. At least in new project, we can not start with this library.