- Any JavaScript on the page has the same rights as the others,
regardless of where it came from. If you can inject a script via XSS, it
can do and access whatever the other scripts can
This means you should not try to do any of the following in JavaScript:
- Store sensitive information (e.g. credit card numbers, any real user
data) - Store cookies containing session data
- Try to protect content (e.g. right-click scripts, email obfuscation)
- Replace your server or save on server traffic without a fallback
- Rely on JavaScript as the only means of validation. Attackers can turn
off JavaScript and get full access to your system - Trust any JavaScript that does not come from your server or a similar
trusted source - Trust anything that comes from the URI, HTML or form fields. All of
these can be manipulated by attackers after the page has loaded. If you
use document.write() on unfiltered data, you expose yourself to
XSS attacks
In other words, AJAX is fun, but do not rely on its security. Whatever you do
in JavaScript can be monitored and logged by an end user with the right
tools.
PHP (or Any Server-Side Language)
Here be dragons! The server-side language is where you can really mess
up if you don’t know what you’re doing. The biggest problems are trusting