So I am forced to complete an online course for my school that uses javascript functions to ensure each student stays on the page for at least a "required_variable" amount of time. Now using the javascript console I am able to just reset the required_variable amount of time to 0, thus allowing me to go to the next page without waiting their amount of time. So my question is whether the website could possibly know that I am resetting their variable. I looked at their code, and I seriously doubt that this particular website can, but I am more wondering because I design websites and there are certain javascript variables I wouldn't want to be overridden in some of my websites.
Asked
Active
Viewed 118 times
7
-
7Everything that is happening on the client side is tainted. Period. – PeeHaa Jun 01 '13 at 20:30
-
What do you mean by that? – John Mathews Jun 01 '13 at 20:32
-
They could track the time separately on the server. – JJJ Jun 01 '13 at 20:32
-
It can be checked if they are sending it back to the server and using a server side language to see what is going on; however, it is unlikely that they would do that. You should never trust client side data. – FireCrakcer37 Jun 01 '13 at 20:32
-
They cannot know directly. But let's assume they have your session ID and know when you entered the page and when you requested the next one. If this differs by less than the timespan on the client, they gotcha. – Krumelur Jun 01 '13 at 20:32
-
3@JohnMathews You cannot trust anything that is happening on the client side simply because it is out of your control once you send it over to the client. It is your responsibility to always validate stuff server side. – PeeHaa Jun 01 '13 at 20:32
-
4What happens in client, stays in client. Like Vegas. – moonwave99 Jun 01 '13 at 20:36
-
@moonwave99 This can be understood as "as the website, don't trust what was sent to the client and just came back" (your analogy is good) or as an answer to OP question "can the server know what I just did in the console" and then your analogy is false because the server may send to himself some data ;) – FelipeAls Jun 01 '13 at 20:41
-
@PeeHaa埽: I think John already knows this. After all, in the question, he states that he's the one doing the tainting. In other words, *he's* the client. – Jun 01 '13 at 23:40
-
@CrazyTrain If you look a bit further into his question you will see " but I am more wondering because I design websites and there are certain javascript variables I wouldn't want to be overridden in some of my websites.". – PeeHaa Jun 01 '13 at 23:53
-
@PeeHaa埽: Oh ok, I see what you meant. You're saying that he can't reliably detect unauthorized mutations to the environment. I'm up to speed. :-) – Jun 02 '13 at 00:10
2 Answers
5
whether the website could possibly know that I am resetting their variable
Yes, there's Object.watch() from Mozilla and generic implementations for all browsers (e.g. Listening for variable changes in JavaScript or jQuery - a number of examples there).
In such a case the "watch function" could for example call back to the server to notify.
Community
- 1
- 1
Marcel Stör
- 19,664
- 12
- 74
- 171
-
-
+1 because OP asks if it is possible. Also, pointing out that it's improbable they'd implement anything like this, and if you knew about it, you could get around it. I mean you could even, dare I say it, pull out your Ethernet cable. – Paul S. Jun 01 '13 at 20:40
2
The exact time you clicked on the Next/Answer button could be recorded server side; the exact time your browser requested each page is logged by the server along with your IP so it'll always be possible to analyse your behaviour for the past year. Though it's unclear why or if they would do that.
Risk analysis: what would you gain from doing what you intend to do? What would you risk? If it seems dumb to you (I don't know, you gave little details... with reasons :) ), it may be super mega important to them to enforce this rule... and be mad at you.
tl;dr don't
FelipeAls
- 20,411
- 7
- 49
- 71