Exposing private variables in Javascript
https://stackoverflow.com/questions/4087734
-
28-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I have a question about javascript's protected memory. If I have a function done like this:
var obj = function(){
var secret = "secret",
super_secret = "my super secret string";
return {
get_secret: function() {
return secret;
}()
}
}();
Is it possible to get string from super_secret by any means?
I saw some exploit that used throw() and Error() to get variable out of function. However that wasn't done with closure. All input and "hunches" are very welcome. I'm planning a project where I need to be sure that there isn't any known way to extract or modify super_secret variable.
Solução
There is almost no way to do this. Even if you load the data from some server that is not on the page to begin with, I can easily open firebug and start debugging to find the value. If you must have security then don't expose the data. Even encrypting the data won't help because the key would probably be somewhere in the javascript.
Maybe if you share what your problem is then we can think of a better solution. Javascript probably is not your best option here.
Edit, using the debugger you can do anything! Here is a screenshot
Outras dicas
Assuming this is going to end up running in a browser, someone could just view the source and copy-paste it (you did say "any means" :-).
Also, if someone can get arbitrary Javascript to run on your site, keeping a key secret is the least of your problems.
The only thing you can really do is encrypt and decrypt super_secret, server-side. If you send unencrypted data to the client or give it the means to decrypt your data, your data is available to the client and you shouldn't rely on its being hidden.
