I am building a javascript library that will allow authentication to server using SRP-6 protocol.
I know using javascript as an authentication method is not the best option due to XSS. But proper XSS prevention can eliminate most issues.
My only concern is how easy it is to modify a server reply before the user even receives the request?
Sample Scenario:
User request page: http://serverdomain/home
Server: Replies back with:
<html>
<head>Home</head>
<script type="text/javascript" src="auth.js"></script>
<body>Home</body>
</html>
Before user receives the reply. Can a hacker somehow magically modify the reply to
<html>
<head>Home</head>
<script type="text/javascript" src="hacker_auth.js"></script>
<body>Home</body>
</html>
Is this possible to do? This is one of the vulnerability that I can think of when using javascript to authenticate.
Badaboooooom nailed it: http://en.wikipedia.org/wiki/Man-in-the-middle_attack You can use https to mitigate the risk, though tools such as http://www.thoughtcrime.org/software/sslstrip/ still make an attack possible if the user doesn't notice the "lock" is gone.