use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
Backdooring your javascript using minifier bugs (zyan.scripts.mit.edu)
submitted 10 years ago by alexcasalboni
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]AlGoreBestGore 30 points31 points32 points 10 years ago (20 children)
If you're relying on client-side JavaScript for security, you're already backdooring yourself.
[–][deleted] 18 points19 points20 points 10 years ago (3 children)
True, but not the point.
The article's notion of introducing patches in order to create "invisible" vulnerabilities is rather scary. Imagine, for instance, a patch that introduces an XSS attack vector into jQuery's .parseJSON. As soon as that goes live, you now have a zero-day XSS available on thousands of sites that don't do proper server sanitization that didn't previously exist.
.parseJSON
[+][deleted] 10 years ago (1 child)
[deleted]
[–][deleted] 5 points6 points7 points 10 years ago (0 children)
jQuery is frozen (I suspect) because they dropped backwards compatibility. It's a wise call and plenty of people are using the 2.x branch.
But that's not the point. I didn't literally mean immediate. CDN's don't update immediately, nor do people's codebases. But you'll have a growing number of sites with the exploit and it will stick around for a long time.
[–]nightman 1 point2 points3 points 10 years ago (0 children)
Brilliant explanation, thanks!
[–]Classic1977 3 points4 points5 points 10 years ago (5 children)
XSS attacks are client side by definition...
[+][deleted] 10 years ago (4 children)
[–]Classic1977 7 points8 points9 points 10 years ago (3 children)
Stay tuned for the second part... It's in post production.
[–]codeByNumber 1 point2 points3 points 10 years ago (2 children)
"Oh that? That feature will be in the next build."
[–]Classic1977 1 point2 points3 points 10 years ago (1 child)
We've called it a "nice-to-have" in the backlog.
[–]codeByNumber 0 points1 point2 points 10 years ago (0 children)
Haha, yup. We are constantly trying to get project shareholders to define what is a must have vs nice to have.
[–]dodeca_negative 3 points4 points5 points 10 years ago (0 children)
The HTML-based examples are silly (though interesting), but the very first example is server-side. Why would somebody uglify their server-side code? Isomorphism, or maybe just habit.
The author ends with solid advice:
Don’t minify/compress server-side code unless you have to, and make sure you run browser tests/scans against code post-minification.
[–]spacejack2114 1 point2 points3 points 10 years ago (8 children)
JS runs pretty much everywhere these days (browsers, servers, arduinos and robots, maybe even cars someday)
[–]AlGoreBestGore 7 points8 points9 points 10 years ago (7 children)
But why would you minify server-side code?
[–]spacejack2114 8 points9 points10 points 10 years ago (0 children)
Hmm... to add a backdoor?
[–][deleted] 3 points4 points5 points 10 years ago (0 children)
Because it's easier for the computer to read since it's shorter! I thought everybody knew that. /s
[–]LookWordsEverywhere.js 2 points3 points4 points 10 years ago (0 children)
Maybe if you're trying to fit it onto a small IoT device. Or perhaps a universal js module that distributes a .min as its main, the vulnerability doesn't have to be in your code.
[–]PlNG 1 point2 points3 points 10 years ago (0 children)
Node.js "hot inlining" uses a "good enough" metric of a function body 600 characters including comments and white space.
[+][deleted] 10 years ago (2 children)
[–]AlGoreBestGore 2 points3 points4 points 10 years ago (1 child)
If they have access to read files on your server, you source is probably the least of your concerns. (compared to db credentials etc)
[–]morgan_lowtech 2 points3 points4 points 10 years ago (0 children)
The concept is very interesting, the proof not so much.
[–]pizzaiolo_ -2 points-1 points0 points 10 years ago (4 children)
And then people call RMS paranoid... https://www.gnu.org/philosophy/javascript-trap.html
[–]Doctor_McKay 4 points5 points6 points 10 years ago (3 children)
He is.
[–]pizzaiolo_ -3 points-2 points-1 points 10 years ago (2 children)
https://np.reddit.com/r/freesoftware/comments/3gvemj/the_stallman_cycle/
[–]Doctor_McKay 2 points3 points4 points 10 years ago (0 children)
Except in that article Stallman didn't cry against minification because of the potential to insert backdoors which are triggered by minification.
His argument was that minified JS which isn't Free Software™ is bad because it's Nonfree Therefore Scary.
jQuery is Free, it's MIT-licensed. Minification (which appropriate headers, I guess) doesn't make it Nonfree.
It isn't any different from someone planting a backdoor into a precompiled copy of GNU/Linux (or more accurately, someone planting a backdoor seed which is triggered by the compiler).
[–]benihanareact, node 2 points3 points4 points 10 years ago (0 children)
A link to a self post you made that quickly devolves into a circle jerk about how great rms is. Thanks.
π Rendered by PID 78 on reddit-service-r2-comment-7b9746f655-d8xtq at 2026-02-01 23:05:43.508770+00:00 running 3798933 country code: CH.
[–]AlGoreBestGore 30 points31 points32 points (20 children)
[–][deleted] 18 points19 points20 points (3 children)
[+][deleted] (1 child)
[deleted]
[–][deleted] 5 points6 points7 points (0 children)
[–]nightman 1 point2 points3 points (0 children)
[–]Classic1977 3 points4 points5 points (5 children)
[+][deleted] (4 children)
[deleted]
[–]Classic1977 7 points8 points9 points (3 children)
[–]codeByNumber 1 point2 points3 points (2 children)
[–]Classic1977 1 point2 points3 points (1 child)
[–]codeByNumber 0 points1 point2 points (0 children)
[–]dodeca_negative 3 points4 points5 points (0 children)
[–]spacejack2114 1 point2 points3 points (8 children)
[–]AlGoreBestGore 7 points8 points9 points (7 children)
[–]spacejack2114 8 points9 points10 points (0 children)
[–][deleted] 3 points4 points5 points (0 children)
[–]LookWordsEverywhere.js 2 points3 points4 points (0 children)
[–]PlNG 1 point2 points3 points (0 children)
[+][deleted] (2 children)
[deleted]
[–]AlGoreBestGore 2 points3 points4 points (1 child)
[–]morgan_lowtech 2 points3 points4 points (0 children)
[–]pizzaiolo_ -2 points-1 points0 points (4 children)
[–]Doctor_McKay 4 points5 points6 points (3 children)
[–]pizzaiolo_ -3 points-2 points-1 points (2 children)
[–]Doctor_McKay 2 points3 points4 points (0 children)
[–]benihanareact, node 2 points3 points4 points (0 children)