Firoz Ansari's Weblog

Vulnerable JavaScript Comments

Today while checking balance in my banker’s web portal, which is self acclaimed as one of the most secured online banking portal of India, I curiously thought of inspecting their HTML content using View Source. But I really shocked (and I almost got heart attack) to see whole bunch of JavaScript comment placed all over their pages. Most interesting thing was that these JavaScript snippets not only tell you bug numbers, who have done those modifications, on which date, but also what was the actual issue and how they have resolved that issue. :)

The most interesting part was:
<script language="JavaScript1.2">
function alert_keycode(){
/*
Abhilash.

This script was added bcze on pressing enter key on pwd field used to get Submittted but since the Command Action invoked was diff one that of OK button, it was not producing desired results. The solution was create a temp hidden field and changing Pwd field name to that of Ok button dynamically, assigning tmp-hidden field name/value with original Pwd Field name/value.

And submit is invoked

*/

frm = document.confirmFrm;
if(event.keyCode==13)
{
blah blah blah

I love this “detailed” and technically well explained comment provided by developer in HTML code.

On serious note, I never prefer to put these JavaScript comments in my code as you can realize from comments like these, it might give lead to reveal any vulnerability or security hole in application. Even if you don’t want to consider the increase of payload of page because of these JavaScript comment but still putting comments with all kind technical or business explanations is major security risk to your application. Don’t do that!

IMO, these code comments are for developer and not for user. My suggestion to all web developers to use server side comments instead of any client side comment specially if you are developing application for financial institutions etc.

What is your opinion if I modify above code like this:
<script language="JavaScript1.2">
function alert_keycode(){
<%
/*Abhilash.

This script was added bcze on pressing enter key on pwd field used to get Submittted but since the Command Action invoked was diff one that of OK button, it was not producing desired results. The solution was create a temp hidden field and changing Pwd field name to that of Ok button dynamically, assigning tmp-hidden field name/value with original Pwd Field name/value.
And submit is invoked
*/
%>
frm = document.confirmFrm;
if(event.keyCode==13)
{
blah blah blah
</script>

I guess later one is more secured than the original one. Do you agree with me??

Please provide your comment here:

http://www.firoz.name/2006/05/26/vulnerable-javascript-comments/

Posted: May 26 2006, 08:10 AM by firoz.ansari | with no comments
Filed under:

Comments

No Comments

Leave a Comment

(required) 

(required) 

(optional)

(required)