问题
Does holding a user's password in a javascript variable in the browser expose any specific security vulnerabilities, over and above the usual security vulnerabilities of a browser-based client?
Consider this snippet as a simple example - jsfiddle here
<label for="password">Password</label>
<input type="password" id="password"/><br/><br/>
<button type="button" id="pwdButton">Store password in window.password</button>
<script>
function getContentsOfPasswordField() {
return jQuery("input#password").val();
}
jQuery("button#pwdButton").on("click", function() {
window.password = getContentsOfPasswordField();
alert("'" + password + "' stored in global var window.password")
});
</script>
In this example the password variable is global and persists for the lifetime of the page, just to make it as open-to-attack as possible and give the worst-case scenario. Perhaps limiting the scope/lifetime of the variable can shield it from certain classes of attacks?
The attack that comes immediately to mind is XSS, but then if the client is vulnerable to XSS in the first place, the attacker can read the password by key logging anyway (see this) so holding it in a variable doesn't, as far as I can see, increase vulnerability to XSS attacks.
Please note the point of the question is not really whether or not doing this is a bad practice, this is more of a fundamental question about client-side web app security.
回答1:
Leaving the password in a variable leaves it open to people to access simply in their browser tools!
lets say the function called when the store password button is pressed, stores the password in a variable called password. Even if this variable is not used on the page at all after that, simply handled later on somewhere in the code, all one has to do is open up the developer tools in their browser, add in a statement like alert(password);
, and Bam, the password literally pops up infront of them.
Admitedly, any code simple enough to let someone do that is probably unworthy of being on the web, and even less worthy of being meddled with, but I guess it's a lesson in how vunerable we really are.
来源:https://stackoverflow.com/questions/18153635/holding-password-in-javascript-variable-security-implications