在javascript变量中保存密码-有安全隐患吗? [英] Holding password in javascript variable - security implications?

问题描述

除了在基于浏览器的客户端的常规安全漏洞之外，在浏览器的javascript变量中保留用户密码是否会暴露任何特定的安全漏洞?

Does holding a user's password in a javascript variable in the browser expose any specific security vulnerabilities, over and above the usual security vulnerabilities of a browser-based client?

将此代码段作为一个简单示例-在此处jsfiddle

Consider this snippet as a simple example - jsfiddle here

<label for="password">Password</label>
<input type="password" id="password"/><br/><br/>
<button type="button" id="pwdButton">Store password in window.password</button>

<script>
    function getContentsOfPasswordField() {
        return jQuery("input#password").val();
    }

    jQuery("button#pwdButton").on("click", function() {
        window.password = getContentsOfPasswordField();
        alert("'" + password + "' stored in global var window.password")
    });
</script>

在此示例中，password变量是全局变量，并且在页面的生存期内一直存在，只是为了使其尽可能易于攻击并给出最坏的情况.也许限制变量的范围/生存期可以使其免受某些类型的攻击?

In this example the password variable is global and persists for the lifetime of the page, just to make it as open-to-attack as possible and give the worst-case scenario. Perhaps limiting the scope/lifetime of the variable can shield it from certain classes of attacks?

立即想到的攻击是XSS，但是如果客户端首先容易受到XSS的攻击，则攻击者仍然可以通过密钥记录来读取密码(请参阅

The attack that comes immediately to mind is XSS, but then if the client is vulnerable to XSS in the first place, the attacker can read the password by key logging anyway (see this) so holding it in a variable doesn't, as far as I can see, increase vulnerability to XSS attacks.

请注意，问题的重点实际上不是这样做是否不好，这更多是关于客户端Web应用程序安全性的基本问题.

Please note the point of the question is not really whether or not doing this is a bad practice, this is more of a fundamental question about client-side web app security.

推荐答案

将密码保留在变量中使人们可以在其浏览器工具中轻松访问密码！ 假设按下存储密码按钮时调用的函数，将密码存储在名为password的变量中.即使之后根本不在页面上使用此变量，只需稍后在代码中的某个地方进行处理，所有要做的就是在浏览器中打开开发人员工具，添加诸如alert(password);和Bam之类的语句. ，密码就会从字面上弹出.

Leaving the password in a variable leaves it open to people to access simply in their browser tools! lets say the function called when the store password button is pressed, stores the password in a variable called password. Even if this variable is not used on the page at all after that, simply handled later on somewhere in the code, all one has to do is open up the developer tools in their browser, add in a statement like alert(password); , and Bam, the password literally pops up infront of them.

诚然，任何足以让某人这样做的简单代码都可能不值得在网络上使用，甚至不值得被他人干预，但我想这是我们真正有多么卑鄙的教训.

Admitedly, any code simple enough to let someone do that is probably unworthy of being on the web, and even less worthy of being meddled with, but I guess it's a lesson in how vunerable we really are.

这篇关于在javascript变量中保存密码-有安全隐患吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！