将密码存储在 Javascript 变量中的安全隐患是什么? [英] What are the security implications of storing passwords in Javascript variables?

问题描述

我正在开发一个需要良好安全性的网络应用.在目前的设计中，许多用户操作需要用户重新发送他们的密码(否则服务器将不得不以纯文本形式存储它，至少暂时如此).

I'm developing a web app which needs good security. In the present design, a number of user actions need the user to re-send their password (or else the server will have to store it in plain text, at least temporarily).

很多用户交互都是通过 AJAX 请求发生的.与其让用户为每个人重新输入密码，不如这样做:

Much user interaction happens through AJAX requests. Rather than have the user re-type the password for each, I'd like to do something like this:

var password_plain = document .getElementById ("password") .value;

ajax ("/login.php", {password: password_plain, username: ...});

// later

ajax ("/api.php", {password: password_plain, action: ...});

为了论证，假设设计通常是合理的，例如

Assume for the sake of the argument that the design is sensible in general, for example

• 服务器不会存储或泄露明文密码，

• the server does not store or leak the plain text password,

SSL 已正确设置

威胁模型是攻击者没有对客户端或服务器机器的物理访问权限，也不能在任一机器上运行任意代码，但可以诱使用户访问客户端浏览器中的其他恶意网页.

The threat model is that the attacker doesn't have physical access to either the client or server machine, and cannot run arbitrary code on either, but can entice the user to visit malicious other web pages in the client's browser.

密码在 javascript 变量中是否安全?

Is the password safe in a javascript variable?

推荐答案

视情况而定.

如果你没有正确地封闭你的范围，第三方脚本可以在执行期间读取和修改你的变量(假设它被保留了一个以上的事件循环滴答)，但是，这有点边缘情况.只要它是在任何类型的函数或模块中完成的，并且您旁边没有 XSS 漏洞，您就是黄金.

If you don't enclose your scopes properly, a third party script can read and modify your variables during execution (assuming it's kept for more than one event-loop tick), however, that's a bit of an edge case. As long as it's done within any sort of function or module, and you don't have an XSS vulnerability right next to it, you're golden.

也有关于程序可以查看内存和其他东西的问题，但这也无关紧要，因为如果用户的计算机上有这样的东西，他们最不担心您的 JS 代码.

There are also questions about programs who can look at memory and stuff, but that's also irrelevant because if the user has such things on their computer, your JS code is the least of their worries.

但是我要补充的是，不建议您一遍又一遍地传输密码，您通常希望进行一次身份验证，获得某种一次性令牌(如会话令牌)，并在此期间将其用于身份验证会议.与密码不同，当出现问题时，会话很容易在服务器端失效.

I will add however that it's not recommended that you transmit the password over and over again, you normally want to authenticate once, get some sort of one-time token (like a session token), and use that for authentication during the session. Unlike passwords, sessions are easily invalidated server-side when something goes wrong.

重要的是:

• HTTPS:如果密码未加密，请勿通过网络传输密码.在客户端对它们进行散列或加密不是可行的解决方案.
• XSS 或 SQL 注入 - 从一种语言到另一种语言的任何转换基本上都是危险的.在用一种语言生成另一种语言的语句之前，请务必严格进行转义.
• 数据库中的纯文本密码 - 这更多是服务器问题，基本上，始终使用强加密哈希将密码存储在数据库中

这篇关于将密码存储在 Javascript 变量中的安全隐患是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！