Author: Jason Gerfen
Posted on: 2013-10-14
Package: secStore.js
Read this article to go through a brief introduction to using secStore.js library when you need to secure essential data, such as authentication tokens or personally identifiable information needs to be stored within the user browser.
Introduction to secStore.js
Are you one that reads news articles like this and shudders, or see tools like megaPWN and asks questions like: Am I doing it right? Am I protecting my users?
I know I do, and have developed a project to assist in protecting sensitive client data. A prime example of which would be the use of a cryptographically signed authentication token.
1) A XSS flaw in the browser allowing a malicious user the ability to bypass the same-origin restrictions
2) The even easier attack of targeted emails containing an XSS laden link as part of a phishing or whaling party.
Now that you have enveloped your websites with a secure communications channel next you should ensure that all areas of your code accommodates for additional flaws such as cross site request forgery, cross site scripting, cross site history manipulation, etc etc.
As a developer, from a purely ethical standpoint, you should be addressing these on each and every web site, application or piece of code you publish.
I hope I am not making you feel overwhelmed with things you may have never considered as part of your development process (you are not alone).
Keep in mind that when you visit your banking website, or your email Web site, or a social networking Web site, you also expect that their code is protecting your personal information, right?
With that being said accounting for these attack vectors should not be difficult as the majority all boil down to input validation and output formatting.
Adhering to these two fundamentally important tasks will eliminate the majority of your SQL Injection (when using a database backend), XSS, XSRF and other same origin bypassing vulnerabilities.
If you currently working with personally identifiable information for your users and want to provide better protections go ahead and implement secStore.js.
Example of Usage of secStore.js
In these examples I will be using the AES feature providing transparent encryption and decryption, so we must include the Stanford Javascript Crypto Libraries first. If you are using git the easiest method of installation is like so...
git clone --recursive https://github.com/jas-/secStore.js.git
That will create a clone of the the secStore.js repo as well as install the SJCL libraries within the 3rd-party folder as a dependency.
Next we simply need to create a new document and include the secStore.js file by embedding it into the head of our HTML document. Here is an example:
Easy enough, right? Now we simply need to start saving and retrieving data.
<script src="path/to/secStore.js"></script>
This first example details how to save data transparently encrypting it using AES with the debug flag turned on while capturing the results of our operation and writing it to our document.
<script><!-- $(window).secStore({ aes: true, debug: true, data: {foo: 'bar', ping: 'pong'}, callback: function(results){ document.write(results); } }); // --></script>
Pretty simply right? At this point you have a cipher text version of the object we specified with the 'data' parameter shown in the example above.
Because in that example we enabled the 'debug' option if you open up your browsers console you can see verbose logging information regarding the operation.
Now
that we have given an example of saving data lets now get that data
back into plain text from the stored cipher text and print it to the
screen.
<script> $(window).secStore({ aes: true, debug: true, callback: function(results){ document.write( JSON.stringify( results)); } }); </script>
There you have it, your screen should now show the object in string format like so...
{foo: 'bar', ping: 'pong'}
There are many more options available
for this plugin that I suggest you read up on if you decide this is a
plugin you wish to implement in your next development project.
Happy coding!
You need to be a registered user or login to post a comment
21,042 JavaScript developers registered to the JS Classes site.
Be One of Us!
Login Immediately with your account on:
Comments:
1. agen bola - Elizabeth Cindy (2016-09-26 09:42)
agen bola... - 0 replies
Read the whole comment and replies