Security of EXT.NET Store

  1. #1

    Security of EXT.NET Store

    Dear Danial,

    We are using ext.net from last one year .
    One of our client raises the question about the security of client side framework ext.net, especially ext.net store
    so we required your help to convey them How ext.net is secure and usage of ext.net store is not vulnerable.

    Reference
    The client injected unwanted script from the Google chrome console to store and updated the database


    Thanks and regards
    Eilisys.
  2. #2
    Hi Eilisys,

    The client injected unwanted script from the Google chrome console to store and updated the database
    There is no way to stop a user from using a browser console to run any JavaScript. As well, there is no way to distinguish the data were injected from a browser console or from somewhere else. Moreover, it is not only matter of JavaScript. A request to server can be simulated without JavaScript and browser at all. Also how could we determine what script is unwanted in a generic manner? It might be something in one application, but it is going to be completely different in another application. So, security checks are not quite a client side job and they are going to be specific for various applications. As a conclusion, security checks should be done on server side and they should follow your requirements. That is the only way to get a secure application.

    There is some good related discussion in the Sencha forum.
    https://www.sencha.com/forum/showthread.php?13913
    Last edited by Daniil; Oct 16, 2015 at 9:36 AM.
  3. #3

    disable Javascript command to keep your data secure

    In order to prevent Javascripts commands to be performed on any Ext .Net objects(grid,store,...) you can disable a user's ability to execute JavaScript console commands as what Facebook has done to keep user's information secure.
  4. #4
    Thank you for sharing this information! To be honest, I didn't know that is possible.

    It looks like this link provides a way how to do it.
    http://davidwalsh.name/disable-console
  5. #5
    Attempting to disable the Console is a cute trick, but I'm sure that would take almost nothing to work around and disable. Please don't implement this in your application and assume you're now safe from attacks.

    This Console trick is the equivalent of a right-click blocker on images. Yes, you will fool the majority of people, the majority of time, but those people are not the ones that will be attempting to poke holes in your application.

    You can attempt some validation and security on the client, but these jobs must always be run on the server as well.

    Thanks for pointing out this Console disable trick. I too had never come across.
    Last edited by geoffrey.mcgill; Nov 20, 2015 at 7:24 PM.
    Geoffrey McGill
    Founder
  6. #6
    Attempting to disable the Console is a cute trick, but I'm sure that would take almost nothing to work around and disable. Please don't implement this in your application and assume you're now safe from attacks.

    This Console trick is the equivalent of a right-click blocker on images. Yes, you will fool the majority of people,, the majority of time, but those people are not the ones that will be attempting to poke holes in your application.
    Geoffrey, i completely agree with you.

    @Eilisys, all requests of my application are validated - validations are also performed on Business Layer - and in addition ValidateAntiForgeryToken is used to prevent Cross-Site request. It may help you to increase the security level of your application.

    Action
    public class HomeController : Controller
    {
        [ValidateAntiForgeryToken]
        public ActionResult View001() => View();
    }
    Controller
    [ValidateAntiForgeryToken]
    public class HomeController : Controller
    {
        public ActionResult View001() => View();
    }
    Globally
    public class MvcApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {
            RegisterGlobalFilters(GlobalFilters.Filters);
        }
    
        public static void RegisterGlobalFilters(GlobalFilterCollection filters)
        {
            filters.Add(new ValidateAntiForgeryTokenAttribute());
        }
    }
    Last edited by RaphaelSaldanha; Nov 20, 2015 at 6:45 PM.

Similar Threads

  1. Security Problem
    By hakandonmez in forum 2.x Help
    Replies: 3
    Last Post: Jun 02, 2014, 10:56 AM
  2. Security Issue
    By vikram in forum 2.x Help
    Replies: 1
    Last Post: Nov 27, 2013, 3:39 PM
  3. Security Warning on load.
    By Roomy in forum 2.x Help
    Replies: 2
    Last Post: Aug 13, 2013, 12:20 PM
  4. Login & Security
    By ttbsoftware in forum 1.x Help
    Replies: 0
    Last Post: Aug 17, 2010, 12:56 AM
  5. Security
    By Ian in forum Open Discussions
    Replies: 2
    Last Post: Apr 23, 2009, 9:31 PM

Posting Permissions