-2

In order to secure my SPA, I need a way to disable all the JS breakpoints.

Currently, I'm still able to add runtime breakpoints with Chrome DevTool and change variable value of my objects. Not in the console but in the runtime.

If an attacker is able to change attributes value of the App objects my application is compromised.

Do you have suggestion to prevent this behaviour?

The best would be to insert in my JS: 

console.ignoreBreakPoints();
Maxime
  • 109
  • 1
  • 8
  • I believe that debuggers are great for developpers and hackers. Developpers should be aware of the dangers (runtime variables editing) of debuggers. In that way, it would be a great step to secure a JS app. – Maxime Oct 29 '14 at 13:05

1 Answers1

0

As a practical measure, you can try to make it somewhat more difficult to look through your code by minifying or otherwise obfuscating your JavaScript before sending it to the client. But you cannot rely on any client-side behavior to secure your website. All your security checks must be re-checked server-side.

Even if there were a way to instruct Chrome to not let people do something with Dev Tools (and there isn't), users could still change values in the browser with various other tools on their computer. Or they could compile their own custom version of the browser. Or they could simply send your server bad information, without running your client-side code at all.

StriplingWarrior
  • 151,543
  • 27
  • 246
  • 315
  • Cheat Engine was maybe able to find some variables adresses but it was unable to modify any value during my test. – Maxime Oct 29 '14 at 13:06
  • @Maxime: That was just one example. My point is that it will always be possible to hack an application that relies on client-side behavior. You must make your application so that it can't be compromised simply by changing the client-side values or code. – StriplingWarrior Oct 29 '14 at 16:29