From dbf318d573c0cb1cbbc3bdc5173860065c75211a Mon Sep 17 00:00:00 2001 From: Onkar Ruikar <87750369+OnkarRuikar@users.noreply.github.com> Date: Mon, 18 Jul 2022 17:42:54 +0530 Subject: [PATCH 1/3] Update good vs bad example --- .../index.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md b/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md index df3ac6f834a1da0..e52615c4ca45afb 100755 --- a/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md +++ b/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md @@ -98,10 +98,15 @@ At this point you may be thinking to yourself "*I can use this on my own website - Executable downloads should **always** be done over HTTPS. This prevents intermediate parties from performing attacks like this so it would be redundant. - If the attacker is able to replace the download file on the original server, then they can also simply replace the code which invokes the SubtleCrypto interface to bypass it and just state that everything is fine. Probably something sneaky like replacing [strict equality](/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#strict_equality_using_), which can be a pain to spot in your own code: -```js ---- if (checksum === correctCheckSum) return true; -+++ if (checksum = correctCheckSum) return true; -``` + ```js + // original code + if (checksum === correctCheckSum) return true; + ``` + + ```js example-bad + // tapmpered code + if (checksum = correctCheckSum) return true; + ``` One place it may be worthwhile, is if you want to test a file from a third party download source, which you do not control. This would be the case as long as the download location has [CORS](/en-US/docs/Glossary/CORS) headers enabled to let you scan the file before you make it available to your users. Unfortunately not many servers have CORS turned on by default. From 138ea9c67b499f3752739bd0405de0d882048d7f Mon Sep 17 00:00:00 2001 From: Onkar Ruikar <87750369+OnkarRuikar@users.noreply.github.com> Date: Mon, 18 Jul 2022 17:44:38 +0530 Subject: [PATCH 2/3] fix a typo --- .../non-cryptographic_uses_of_subtle_crypto/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md b/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md index e52615c4ca45afb..11c744de9cbf15a 100755 --- a/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md +++ b/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md @@ -104,7 +104,7 @@ At this point you may be thinking to yourself "*I can use this on my own website ``` ```js example-bad - // tapmpered code + // tampered code if (checksum = correctCheckSum) return true; ``` From c3d5c351c0dc6465f534de50be88e0cdef497c7f Mon Sep 17 00:00:00 2001 From: Onkar Ruikar <87750369+OnkarRuikar@users.noreply.github.com> Date: Mon, 18 Jul 2022 18:39:47 +0530 Subject: [PATCH 3/3] marking it as diff --- .../non-cryptographic_uses_of_subtle_crypto/index.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md b/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md index 11c744de9cbf15a..8540ab69f508777 100755 --- a/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md +++ b/files/en-us/web/api/web_crypto_api/non-cryptographic_uses_of_subtle_crypto/index.md @@ -98,14 +98,9 @@ At this point you may be thinking to yourself "*I can use this on my own website - Executable downloads should **always** be done over HTTPS. This prevents intermediate parties from performing attacks like this so it would be redundant. - If the attacker is able to replace the download file on the original server, then they can also simply replace the code which invokes the SubtleCrypto interface to bypass it and just state that everything is fine. Probably something sneaky like replacing [strict equality](/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#strict_equality_using_), which can be a pain to spot in your own code: - ```js - // original code - if (checksum === correctCheckSum) return true; - ``` - - ```js example-bad - // tampered code - if (checksum = correctCheckSum) return true; + ```diff + --- if (checksum === correctCheckSum) return true; + +++ if (checksum = correctCheckSum) return true; ``` One place it may be worthwhile, is if you want to test a file from a third party download source, which you do not control. This would be the case as long as the download location has [CORS](/en-US/docs/Glossary/CORS) headers enabled to let you scan the file before you make it available to your users. Unfortunately not many servers have CORS turned on by default.