Check out a free preview of the full The Good Parts of JavaScript and the Web course:
The "Identifying Security Vulnerabilities" Lesson is part of the full, The Good Parts of JavaScript and the Web course featured in this preview video. Here's what you'd learn in this lesson:

Doug spends some time challenging the audience to find the security vulnerabilities within his vector() function. He fields questions about the code while guiding the discussion closer to a solution.

Get Unlimited Access Now

Transcript from the "Identifying Security Vulnerabilities" Lesson

[00:00:00]
>> But the function is not altered as result of that experience, it doesn't remember that.
>> Speaker 1: So the goal is to protect array.
>> Speaker 2: Which we have started to do, now we've got the thing, in a function scope, we've got methods of close over it. We've done all of that stuff well, but there is a vulnerability in the language, which will frustrate our work.

[00:00:27]
>> Speaker 1: My intention is just, and you just have the return object, right? So you could make a new, could you potentially define a new, key of the function that just return array.
>> Speaker 2: So, you just. How would you do that?
>> Speaker 3: Yeah, Castor.
>> Speaker 2: So, be more explicit.

[00:00:58]
>> Speaker 4: So, you call vector that store or you pass in a function that contains the array.
>> Speaker 2: Okay, but the function you pass in, is created on the outside, right? So that function doesn't close over the array when it's on the outside, and so, only functions created on the inside will be part of that closure.

[00:01:24]
>> [INAUDIBLE].
>> Speaker 2: It is possible to have functions to the prototypes of system objects, and that is definitely going to be concerned about that's going to fix.
>> Speaker 3: if you were to, I think this is what John was saying, if you were to, you can still achieve a vector, and then you say, vector.

[00:01:49] Get array equals function return, array. But array is undefined, because its impact scope of where you're creating it.
>> Speaker 2: That's right. So that's good, that's a place where the language is working for us.
>> [CROSSTALK]
>> Speaker 2: Yeah, that's not where the language is weak.
>> Speaker 4: If you inherit from vector, do you have access to the [INAUDIBLE].

[00:02:32]
>> Speaker 2: Really good question, no, because functions go stop work like JavaScopes, you know there's no package kind of thing. So, no you don't inherit the contents of a function scope. Can you twiddle with that function.
>> Speaker 3: So, vector, your instance that.get, has this function in it. Can you, it is a function.

[00:02:57] Is there some way to manipulate the guts of that function once you have a pointer to it?
>> Speaker 2: No. No, functions. Yeah, you could store a function. You could use store to put a function through an array and then use get, to get it back out. But the function is not altered as result of that experience, it doesn't remember that.

[00:03:24]
>> Speaker 3: The function doesn't have any properties that you could go and pick at.
>> Speaker 2: Right.
>> Speaker 3: Where change, so that when you call the next time, it gives you something completely different.
>> Speaker 2: Right.
>> Speaker 4: If I tack a function onto that and call this. Does this have access to the array?

[00:03:41]
>> Speaker 2: You are on to something.
>> Speaker 4: So if I had called append on function code, screw it up, and if screw it up, and said, this .array equals a new array.
>> Speaker 2: It wouldn't be this .array, because there is not an object which represents The contents of the scope.

[00:04:10] But this is, definitely part of the attack.
>> Speaker 3: Can we change push, so that we said array? We changed what the prototypical push of an array, does so that, it returns its own value.
>> Speaker 2: Yeah, yeah you are getting close.
>> Speaker 3: Okay. Okay so the return (i), that, the third function doesn't return anything.

[00:04:42] So that's not gonna get it out. The second one doesn't return anything. So that's not gonna get it out. Or, actually, if you pass in an array, to store, you could change, or no, you could pass in an array to append, and change push, so that what push does.

[00:05:05] It takes the thing that you've passed in, and pushes onto the end of it, itself. So you call append with this array, and then you get the last thing of the array, and that's the array you want.
>> Speaker 2: No, that wouldn't work, yeah, you're drifting away, you almost had it.

[00:05:24] You were very, very close
>> Speaker 4: Push a function at the end of the array, using append, and then you use get, to call that function, so.
>> Speaker 2: You can do that. But, the function, the function does not remember that, that happened. So it is not altered by that.

[00:05:58]
>> Speaker 3: How do you, in JavaScope change the function of a prototype, you trick like a radar prototype .push, and now, you're gonna okay.
>> Speaker 2: That's exactly it. Yeah, you could go to array.prototype.push. But we're assuming that, that's been fixed. So one of the aspects of the design of JavaScript, is that everything is unlocked with its guts exposed, and If you think about security, that's obviously a terrible thing.

[00:06:28] So we're assuming that, that's been fixed. So we're concerned not just with the performance of ordinary programs.
>> Speaker 4: So if you were to store a function, that calls this .array
>> Speaker 4: You still wouldn't have access to array.
>> Speaker 2: This .array won't get you there, but this itself will get you there.

[00:07:04]
>> Speaker 4: There were times this.
>> Speaker 2: Yes.
>> Speaker 3: I got it. It was, what I described exactly did it, everyone at the radar prototype.push. Equals functional a, a brackets zero equals this. So they're not creating array one, two, three, four.
>> Speaker 2: Right?
>> Speaker 3: They are creating array x, into array, and then I call My first array.push passing in x.

[00:07:43] The two bit empty array, took away itself made that the first element of x. So, they pass into it and now x, the first element of x, is the array I want to hack out.
>> Speaker 2: Right. I've said it a couple of times, we're not looking for array dot prototype, that we're assuming that, that's been fixed.

[00:08:06]
>> Speaker 3: I'm sorry, Array dot prototype is fixed in the new version of language.
>> Speaker 2: No, we're assuming in the context of this problem, that, that's been fixed, because of the very thing, that you just described.
>> Speaker 4: It has nothing to do with using the call method?
>> Speaker 2: It does not require use of the call method.