You are viewing limited content. For full access, please sign in.

Question

Question

Laserfiche Form - how to prevent javascript calling web service from leaking credential information?

Forms Integrations Security
Updated January 3, 2023
asked on December 22, 2022

Hi I am having a question regarding use LF Form javascript (ajax call) integrate with certain web services. However the issue is when programming the web service call it often includes credential portion which is visible to Form end users.  Is it possible for LF Form to prevent this? Or practically any good suggestion how to "hide" credentials?  

Note: I read from one of the early discussion topic that LF Forms JS are all client-side code that visible to end user, not sure if it changed after years upgrade.

0 0

Replies

replied on December 22, 2022

Unfortunately, just with the nature of how browsers interact with Javascript, this can definitely be an issue.

I'm sure others will have suggestions, but here's a couple ideas:

  1. Have the credentials populate from a database into fields on the form, that are hidden from view, and have your Javascript delete the values from the fields after they are used.  That way, the fields should only have values for a few moments, so even if a user unhides the fields, they'll just see them as blank values.
  2. Set-up an API yourself that either handles a request from Forms to get the credentials, so you end up making an AJAX call to your service for credentials and then a second AJAX call to the aactual service you need to access.  Or even better, set up your API to handle all the calls to the third party and return the info to Forms, so that Forms just interacts with your service, and the info about the third-party is obfuscated within that service.
  3. Look into Javascript options that encrypt and decrypt values, and use that to store encrypted credentials instead of clear text versions.
3 0
replied on January 3, 2023

For an integration like this, there isn't really anything that the hosting application (e.g. Forms) can do. The problem is that in most scenarios, you should consider the browser to be an untrusted environment, but you also want to prevent it from misusing some of the data you give it. Yes, Forms could provide a way to obfuscate credentials, but the page must also necessarily include instructions for how to decode and use those credentials. Not only must the credentials be available to script in the page, but the user can also see all of the headers and parameters included with the http request.

Taking a step back, the reason the application wants to assert this control over the browser is usually because the security model of the API is not as sufficiently rich as the application would like. That is, the credentials would give access to sensitive information that the user should not have access to. So one approach is for the API to have a richer security model, and to use it to limit the scope of what the credentials provide access to, so that "leaking" the credentials to the user doesn't allow them to gain more information than they could just by using the application. And here, I am using "credentials" in the most generic sense - mirroring your application users in a remote system is often not feasible or desirable.

If the remote API can't enforce the policy you would like, you might need to proxy all of the calls through your own application, where you can enforce your own access policy.

Another common scenario is when there isn't really a security policy to enforce but you still want to prevent a user from accessing all of the data. This is definitely trickier, and your tools might be rate limiting and auditing.

 

2 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...