Now we can begin. Quick introduction to jQuery A lot of times, as developers work daily on new versions of web pages, you’ll hear them say, “Good God, I thank you for giving me jQuery.” What is jQuery? It is a lightweight programming library for JavaScript. Its main task is to manipulate the DOM tree of elements. What does it really offer? Now, in exchange for a really small performance decrease compared to a professionally written code in JavaScript, we get the opportunity to achieve amazing animation effects on our website. In addition, we can also make dynamic changes and do all of the Ajax requests. In fact, most of the available jQuery plugins do not require any changes to the HTML source. Ok, that should be enough introduction. Let’s move on. Reasonable use of jQuery on () Event to prevent default user shares This problem is really very interesting. Wcielmy is a bad hacker. What happens if he can invoke the default action using jQuery? Can it therefore call any action on your website? Or maybe he can do something more? So, the jQuery creator gave us something extra as developers. And that is a function of a (), which we can use to prevent the default action of the user when the user clicks on the link. Previously, we were using one of the default values by clicking on the redirect link. These were the “#”, “javascript :/ /”, “javascript.void (0)”. Today, however, we are dealing with something a little different. Namely, we can capture all the events using event.preventDefault (), which is called in the middle of a function. This is perfectly illustrated in the code below: / / Be careful what parameters you give to the function on () / / Note that we do the event within the function () $ (“# Something”). On (“click”, “a”, function (event) { event.preventDefault () / / preventDefault () / / Now we can do something / / It’s also advised to be careful and do not leave it on so the }); Note that the structure of the jQuery library has a lot of technical reasons why jQuery uses these options on the function (). To know more about the features on (), you can, of course, read the documentation for the jQuery library. Here is the link: http://api.jquery.com/on/. Threats coming from Reply () This error is not really strictly from jQuery. After jQuery, everything related to JavaScript is running on the client side. So how does using Reply () become dangerous? Consider the specific case. If you’re using Reply and download data for a logged in user, you might have a problem. As an attacker, I can look into the code and see there the following. Now, notice that pass user id probably used in jQuery. It is enough that with a slight modifying of your script, I can type a different user id. But what if you want to hide anything? And when I use validation? Well, of course they are not bad habits, but I would not only rely on jQuery or JavaScript. In addition, I’d be sure to check again that everything on the server side is certainly OK. Really, this is particularly important when you start thinking about using Ajax and DOM tree elements. In addition, I would always be 100% sure whether it will work even when JavaScript is disabled. Again, notice what I wrote. Well, if you do not make server-side filtering relevant nor check permissions of your users, or if you do not check if we can perform a code injection, everything is invalid and this will not help you. Every time I would be able to manipulate your data as much as I want, and it will not really cost you too much work. But also note one more thing. Even when you are not using jQuery, if your template is a form POST, I can also do it. How do you use GET? My action is simpler; I just type your address with the appropriate parameters. So as you can see, this solution is not really related to jQuery, but with skills in programming. Errors in the old versions I’ll say this: oh, God. Why use an old version of jQuery? What are you really after? Note that in the case of web applications and the languages used in their construction, each new version gives a lot of great improvements. First, the new version will always include amendments that affect safety and performance. Tell me, what is the point of using the old version of jQuery for new projects? Do you know how many bugs can appear on a jQuery project? Check it out and see if it is related to security issues. Using the old version is justified, but only in one case only. Well, sometimes the customer may require the use of an outdated version. If the customer is paying for it, you should be sure to do so. But if you have an old project with an old version of jQuery, do not hesitate, just go ahead and change it to a newer version. Removal of errors that may occur will certainly be cheaper to implement than using outdated versions. The website has to load fast. What do I care if it has great visual effects if it takes an hour to load? JQuery storage of the root page template Another fundamental error: If an attacker knows how to get to the subject, he is able to make many changes to multiple files. It can also replace the local version of jQuery with its own. And then what? The whole can begin to act as the attacker wants. Really it can then be interesting. And how do we fix it for a client? The customer can take offense at us and will never take advantage of our services. This also shows one more very important thing. Well, it is better to take advantage of the global copy of the jQuery library, contained for example in a Google API. This solution also has a substantial advantage. Using jQuery from an external server, namely the Google API, allows the search engine to continuously monitor our site. Not only do we have access to all of Google’s information, such as the number of visitors, it’s also in the event of any problems with our site, Google will inform you about the infected site. We can even put the link:
