I've had several readers ask me about Security recently, so I decided to write a comprehensive article about it.

Want to learn advanced techniques? Check out our premium courses.

正文

The presence of **JavaScript code on client-side** devices creates various security holes that permit code injection, reverse engineering, and data exposure attacks. Attacks on JavaScript web applications are enabled through easy access to scripts, which permits intruders to both observe and modify program code, steal sensitive information, and embed destructive scripts within the system framework. Developers must protect their client-side JavaScript applications from security threats by impleme

In modern web development, Security has become increasingly important. Developers need to understand the security implications and best practices.

When implementing Security, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around Security continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

That's all for this comprehensive guide. I hope you found it helpful! Feel free to leave comments if you have questions.

Reference: Security Tips to Protect Client-Side JavaScript Applications

关于Anti-Debugging，网上资料比较零散，这里做个相对完整的总结。

Want to learn advanced techniques? Check out our premium courses.

正文

For developers who write malicious programs, it’s important to make their code not easy to be read and executed in a sandbox. Like most languages, there are many ways to make the life of malware analysts mode difficult (or more exciting, depending on the side of the table you’re sitting ;-).

Besides being an extremely permissive language with its syntax and making it easy to obfuscate, JavaScript can also implement anti-debugging techniques. A well-known technique is based on the method arguments.callee()[

]. This method allows a function to refer to its own body:

Then, the function can perform checks on the content of the variable 'foobar' (to check the size, to compute a hash or to search for the presence of specific strings) to detect if the content of the function has been modified by an Analyst (ex: to debug the code in the browser).

Speaking about browsers, their “developer tools” are very convenient to debug JavaScript. I got access to a malicious file shared with another malware analyst (thank you Mark!). It implements a nice technique to prevent malicious code to be executed if the browser console is open! Here is the small proof-of-concept based on the initial code (beautified):

The function GFkPC() defines a variable ‘ll’ which will contain the console status (default false - console closed). An object is created (WXMpu) and a ‘getter’[

] on the property is added. The get syntax binds an object property to a function that will be called when that property is looked up. I don’t know why but ‘get’ works only when the console is open. Below, we use the object, this will result in the getter function to be executed and modify the value of ‘ll’ is the console is open.

Let’s load this PoC into Chrome with the Developer Tools open:

You see that the getter is called and the console.log() used.

Now, let's close the console and reload the PoC in the same browser:

This technique worked in Chrome and Safari and the new Edge. It did not work with Firefox. While Googling for some similar examples, I found discussions about the Developer Tools detection back to 8 years ago. Still relevant today!

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/arguments/callee

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/get

Senior ISC Handler - Freelance Cyber Security Consultant

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

以上就是关于这个话题的完整分享，希望能对大家有所帮助。如果还有其他问题，欢迎在评论区留言讨论。

Reference: Anti-Debugging JavaScript Techniques - SANS ISC

在做前端安全相关需求时，JavaScript这个问题绕不开，刚好把踩坑经验分享一下。

Want to learn advanced techniques? Check out our premium courses.

正文

The most common JavaScript vulnerabilities include Cross-Site Scripting (XSS), malicious code, Man-in-the-middle attack and exploiting vulnerabilities in the source code of web applications. In this article, we’ll take a look at the most common JavaScript vulnerabilities and how to prevent them through popular modern security approaches combined with testing tools (e.g, auditing and code analysis tools, JavaScript vulnerability scanner, etc.). Most common JavaScript attack vectors include: execu

When it comes to JavaScript, understanding the fundamentals is crucial for any developer. This guide will walk you through the key concepts and practical applications.

One of the most important aspects of JavaScript is security. In today's digital landscape, protecting user data and preventing unauthorized access should be top priorities for every project.

Performance optimization is another critical factor. Efficient code not only provides better user experience but also reduces server costs and improves scalability.

Modern development practices emphasize modularity and reusability. By breaking down complex systems into smaller, manageable components, teams can collaborate more effectively and maintain codebases more easily.

Testing should never be overlooked. Comprehensive test coverage helps catch bugs early and ensures that changes don't break existing functionality.

Documentation is equally important. Well-documented code is easier to understand, maintain, and extend by team members both present and future.

Version control systems have revolutionized how developers collaborate. Understanding Git workflows and best practices is essential for modern software development.

Continuous integration and deployment pipelines help automate the build, test, and release processes, reducing human error and speeding up delivery cycles.

Monitoring and logging provide visibility into production systems, enabling quick identification and resolution of issues before they impact users.

The devOps culture promotes collaboration between development and operations teams, breaking down silos and improving overall efficiency.

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

有问题欢迎评论区交流，看到会第一时间回复大家一起讨论。

Reference: JavaScript Security | JavaScript Vulnerabilities