Hello -
I'm part of a new incident response team within a medium size company. I am not a programmer, rather a forensics analyst. Would you programmers be able to tell me a little more about js/common/js as it appears at the end of a website. Should this be available to access through a browser, so any 'joe' can see the context? Or is this a server risk?
Thank you
Web pages can be assembled via multiple means but two, in particular, are common and relevant to your question (I think).
Server-side scripting involves the execution of scripts on the server which alter the content of the page before it it served up the the client. PHP, Ruby on Rails and Perl are examples of common server side scripting languages. Whille there are ways of compromising such sites using injection techniques, since the script is executed on the server side, only the output is rendered to the client. Thus, unless the code is simply poorly written, you aren't disclosing much about the server through server side scripting.
Client-side scripting involves executing the script within the browser. No action is taken by the server other than to deliver the contents of the script file intact. Javascript (or some variation of it) is probably the most common client side scripting language and frequently, much of the code is stored in separate files which are downloaded and can be cached to improve performance of the site. Normally the code is not visible to the user because it is executed within the context of the browser rendering the page, however, the script files, themselves, can be viewed by typing the absolute URL into the browser navigation window. There are people who like to obfuscate their Javascript code to make it more difficult to copy or reverse engineer but most of the time it is simply formatted text.
Again, unless the programmer/web developer is sloppy, the client side scripts should not betray anything about the server and should pose no risk to the server. There are, however, various risks associated with executing Javascript on the client especially if you don't know the source.
Whether the contents of the file are executed by the server or delivered, intact, to the client is determined by a "handler" which is usually associated with the file extension. When the server attempts to open the file it looks at the extension to determine if a special program or routine should be used. For example, files with the extension ".php" would, typically be processed on the server side by the PHP interpreter. Files with extensions such as .htm .html or .js would be delivered to the brower intact.
Not only is exposing Javascript files not harmful, it is necessary to their function.
That having been said, there is no way to know whether the server, itself, is secure unless you know more about it. But allowing users to see the Javascript is not, itself, a concern.
I hope that this answered your question.
very clear to understand. thank you