Security issue of extjs [closed]
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Cl开发者_开发知识库osed 7 years ago.
Improve this questionhow can i convince my client that extjs is safe to use ??? or Better how can i assure my programming is safe in extjs-3.x , so that data donot get into wrong hands or cannot be hacked or if somebody download my website javascript by some tool on desktop how will i makesure it will not run and many more ??? like sql injection
bmoeskau's book recommendation looks good. I wasn't aware of that title, but I think I'm going to go buy it.
Building on the second part of his answer, you'll want to ensure that you fully understand what you're doing. Please don't take offense, but your question suggests that you don't have a very complete grasp of how these kinds of applications work.
In any web-based application, you cannot trust the client. It doesn't matter if the client is plain old HTML, some kind of AJAXified DHTML, a completely ExtJS-driven applicaiton, a Flash movie, or a native desktop application. They're all clients, and they're all trivially corruptible.
Your server-side code is where you defend yourself. Always. No exceptions. Ever.
Worried about SQL Injection (as you should be)? -- Protect against it on the server. (If you're writing client code that creates SQL and sends it to the server, you're almost certainly very, very wrong).
Need to make sure only certain users see/touch certain data? -- You need a solid authentication/authorization framework on the server.
You should also be worried about CSRF -- Again, the server-side architecture needs to protect against it.
Anyone using your app will have all your Javascript code on their local machine. That's a fact of life. And that's exactly why you never trust the client.
Almost every vulnerability that can affect an ExtJS-based app can affect any other app as well.
So, you can tell your client that ExtJS is no more or less secure than any other client-side technology. That's because security is the server-side code's job, and not the client.
To avoid these vulnerabilities, you need to read, comprehend, and write your code thoughtfully. No matter what libraries or technologies you're using.
I would highly recommend this book. Your security has very little to do with the JS framework you choose, and almost everything to do with the practices that you, the programmer, follow in your apps.
A reply from the ExtJs sencha forum, gives a generalized answer for any JS framework.
Client-side code, as you've pointed out, can (somewhat) easily be manipulated using Firebug or other debugging tool. There's not a single thing you can do about that.
Search the forums for other topics like this... it's been discussed about 1000 times.
Regarding your points:
1) As I just said, there's no way to prevent the user from altering the code already rendered to the page (or altering the server response). You're only option here is to (a) not load any code the user shouldn't have access to, and (b) make sure that IF the user is smart enough to hack the UI that your server-layer has the necessary security in place.
This isn't the flaw of Sencha's code... it's a gaping security hole in all web applications.
2) Again, you've pointed out that you can minify/obfuscate your code... but if the browser can read it, your users can see it too. Not a thing you can do about it.
3) XSS has nothing to do with the Sencha frameworks. It's a vulnerability that any webpage can have... it's up to your server-level security to prevent bad code from entering your database.
4) More of the same. If the user can manipulate the client-side code at any time, there's nothing stopping them from injecting crap data into the request.
I've said this a million times already (here and similar posts) - the client is inherently insecure. That's not going to change for a really long time, and has nothing to do with ExtJS. You'd have exactly the same problem with jQuery, Dojo, or any other tool.
加载中,请稍侯......
精彩评论