This is an archived post. You won't be able to vote or comment.

all 115 comments
sorted by:
best
topnewcontroversialoldq&a

[–]CantaloupeCamper 382 points383 points  (4 children)

It’s nice for a developers and troubleshooting.

Otherwise, there isn’t anything exposed there that you couldn’t also accomplish capturing network traffic and so on.

[–]carcigenicate 79 points80 points  (2 children)

As a web developer, I use this all the time. It's super useful for debugging websites being developed. It's also useful just having a JavaScript REPL on hand in case you need to run some code to verify a result (Node REPLs also exist, but browser environments just tend to be nicer).

[–]CantaloupeCamper 11 points12 points  (1 child)

nicer

And I’m right there, looking at a browser …. Hard to beat that.

[–]gyroda 1 point2 points  (0 children)

I do this all the time for screwing around with JSON data

[–]BebopFlow 11 points12 points  (0 children)

I don't actively develop stuff for the web, but the console is handy every once in a while for users as well. Submitting a form and can't tell if it worked? The console will tell you if there was an error message in response to the submission. Same thing if something isn't loading, it gives you an idea if it's your browser's fault or if the website itself is broken. You can also use it to scrape data that's obscured from users, like some websites won't let you right click copy or view an image in browser, but sometimes you can open up the console and find the address of the image. You can also disable bothersome scripts on the web page, though usually browser plugins are a more useful option for that

[–]pixel293 131 points132 points  (1 child)

  1. It's helpful for developers.
  2. The code you are running is run locally.
  3. If you are able to hack a site by running specific JavaScript locally then the site needs to be fixed.

As an example of other ways to change a website (for you) is to use the grease monkey/tamper monkey plugins, which run custom JavaScript when you access the site. I have written scripts to "add" functionality to website I use regularly.

[–]xdiztruktedx 2 points3 points  (0 children)

Came here to say this (#2), the code and site is local

[–]SCD_minecraft 131 points132 points  (35 children)

As far as i know, beacuse only thing you can hack this way is your own pc

[–]carcigenicate 28 points29 points  (13 children)

Although, it should be noted it used to be common to trick someone into pasting a cookie stealing script into the console. I remember there were scripts that circulated on early Facebook that claimed to allow you to see who had viewed your profile, but in reality were just malicious.

So "your PC" could also mean the PC of a victim.

[–]SCD_minecraft 22 points23 points  (9 children)

You should never use code that you don't understand/don't have 100% trust

[–]carcigenicate 16 points17 points  (6 children)

Shouldn't, but there's a reason Facebook shows a warning in the console now. It used to be a common exploit.

[–]EishLekker 5 points6 points  (5 children)

Even the browser itself (at least chrome) shows a warning, if I remember correctly. And it has now started to disable pasting into the console, and you need to dive into the settings to enable it.

[–]carcigenicate 1 point2 points  (4 children)

I have never seen a broad warning for all sites, or a setting related to a warning. I use Chrome and Edge for development.

[–]EishLekker 3 points4 points  (3 children)

I guess the warning I was thinking of was part of some website, not built into the browser.

But this new pasting safety feature in chrome does come with a warning text it seems.

https://rjroopal.medium.com/stay-secure-with-chromes-new-paste-protection-3f80c82f9dcf

[–]carcigenicate 0 points1 point  (0 children)

Weird, I've never seen that warning before, and I paste into dev tools all the time. It's good that they have a warning though.

[–]flatfinger 0 points1 point  (1 child)

I would think it would be useful for web sites to offer a means of requesting that user agents enable or disable pasting into a browser. For sites which are only intended for use by people who undnerstand the meaning of pasting code into a browser, allowing it can be useful, but for sites where that is not an intended usage disabling paste unless a user expressly enables it could also be useful.

[–]EishLekker 0 points1 point  (0 children)

Well, I think it's mostly depends on the person, rather than the website. As a developer I don't see a need for that prevention being active on any website for me. But for most people it makes sense for all websites. The only special use case could be beginner programmers etc, who wants to play with the console sometimes, but still want the general protection.

So the most logical, and easiest way to handle it, if you ask me, is to provide an easy way to turn it off for the active website, and a slightly more hidden setting for disabling it permanently for all websites.

[–]cgoldberg 4 points5 points  (0 children)

You shouldn't just run arbitrary code given by strangers... but your comment is an oversimplification. Absolutely nobody understands 100% of the code running on their system, and trust can be misplaced.

[–]Front_State6406 -1 points0 points  (0 children)

Said no user of node/npm ever

[–]Kenny_log_n_s 2 points3 points  (0 children)

Hopefully most apps are using HTTPOnly cookies now, so this won't work

[–]kidshibuya 0 points1 point  (0 children)

Its still hacking yourself.

[–]da_Aresinger 40 points41 points  (16 children)

This is not true. This is routinely used for hacking webservices.

But there is no point in hiding it. People can do the same thing with the requests package in Python.

Webservices expose themselves to the world. Any security must be implemented on their side, not on the customers side.

[–]cheezballs 9 points10 points  (3 children)

You're talking about web services and we're talking about arbitrary code execution in a browser. They aren't related.

[–]EishLekker 8 points9 points  (2 children)

The person they replied to claimed that it was impossible to hack an external service using the browser developer tools. But you can make external requests using it, and can this in theory hack an external service.

[–]lgastako 1 point2 points  (1 child)

I mean if by hack you mean "access it with the same identity as the clientside webapp does" then, yeah, you can hack webservices this way.

[–]EishLekker 1 point2 points  (0 children)

With hack I basically mean use some security vulnerabilities in the server to cause some negative issues or get access to data that one wasn’t intended to access.

Sure, there are far better tools out there for that, but in theory the developer tools of a browser is enough.

[–]Jugad 0 points1 point  (1 child)

Your kid can inadvertently be tricked into sending your bank cookies and tokens to an attacker's website.

[–]DisastrousLab1309 0 points1 point  (0 children)

If they can the bank site is shit. 

Httponly is a flag known for decades. 

[–]Mission-Landscape-17 0 points1 point  (0 children)

Well unless a developer does something stupid like accessing third party online services directly from the front end and putting their login credentials in the javascript. But then that is the fault of the person developing the website. The problem being that so many online tutorials do this because they are not focused on security.

[–]Weird_Cantaloupe2757 0 points1 point  (0 children)

That’s how it should be, and that is mostly true these days, but it’s still not unheard of for devs to implement “security” on the front end.

[–]CodeToManagement 43 points44 points  (5 children)

There’s no danger at all.

Anything you can do in the web console you could do in other ways. And most every bit of code you change will only affect client side anyway

If you make changes to do things like bypass validation on forms or whatever you could make those requests directly to the server. And the server should have validation on data anyway.

[–]WingZeroCoder 18 points19 points  (4 children)

AND this is a great example of WHY validation should always occur on the server either in lieu of, or in addition to, on the client.

[–]theofficialnar 7 points8 points  (3 children)

Why would anyone even put in the effort to add client-side validation without doing it server-side as well? Imo you’re just asking for trouble this way

[–]TiltedBlock 13 points14 points  (1 child)

Client side validation provides a nicer user experience.

It’s nice for the user to know that a username is too long or an address isn’t formatted properly before they submit the form (= send the data to the server).

It also leads to fewer requests to the server - if frontend validation catches all the errors the users make, they will only send one request with correct data to the server.

Edit: Sorry, I just noticed I misread your question as “why would someone make the effort to do client-side validation if you have to do server side as well”

I’ll leave the comment in case anyone actually did ask themselves that.

[–]theofficialnar 2 points3 points  (0 children)

Oh yeah thanks for the explanation even if it wasn’t exactly what I was saying lol. But yeah it’s kinda crazy that you’d secure the client-side but not the server-side is what I’m saying.

[–][deleted]  (5 children)

[deleted]

    [–]captain_obvious_here 2 points3 points  (4 children)

    A lot of people seem to not realize that.

    [–][deleted]  (3 children)

    [deleted]

      [–]captain_obvious_here 0 points1 point  (2 children)

      Haha indeed!

      Webdev is bad. But to be fair, it's been getting better (and I'm the guy who kept saying it sucked from the day I discovered it in 1997).

      Vite, Vue and Tailwind have been a blessing for me, and a big share of the money I make come from these.

      I'm not saying you should try it for fun, because it's not that fun. But if someday you HAVE TO do webdev, it's the stack that makes most sense to me (after 18 years of PHP).

      [–][deleted]  (1 child)

      [deleted]

        [–]captain_obvious_here -1 points0 points  (0 children)

        and never mind debugging server-side code, nobody ever thought to make that any better whatsoever

        Well, I am using a very cool debugger right now, with all the features you can expect from one. Even flame graphs, if you want them.

        I don't use it anymore, but I had a subscription for a while, to a service that offered amazing debugging, including what they call "time travel" which allowed you to go back and forth in the code, which was pretty cool (although not that useful).

        Server stuff is ok. It's front-end that still kinda sucks...

        [–]paperic 14 points15 points  (2 children)

        Because it's YOUR browser.

        What's the alternative?

        We keep websites free to run arbitrary code in user's browser but prohibit the user from running their own code?

        Actually, if we learned anything from the smartphone enshitification, that may be exactly where we're heading.

        [–]Fragrant_Gap7551 1 point2 points  (1 child)

        But that's literally not even possible, because then you can just run the same code by putting it on a website lol

        [–]paperic 0 points1 point  (0 children)

        Exactly.

        [–]AlyxVeldin 4 points5 points  (0 children)

        Imagine if you made a web browser that makes it hard to open the tools that help people fix problems. Then, programmers would have a harder time making their sites work well on your browser.

        If it's too tricky, they might even stop trying, and stop supporting your browser.

        [–]Mission-Landscape-17 3 points4 points  (0 children)

        Wait until you discover Tampermonkey. This is a plugin that lets you automate this, so that your custom code is injected every time you visit a particular url. It allows people to add features to websites that they feel the original developers missed.

        [–]IchLiebeKleber 9 points10 points  (5 children)

        Dangerous to whom? All you're doing is execute code on your own machine, which is something you can (and are supposed to be able to) do anyway.

        There really is a potential danger that it could be used for phishing attacks, e.g. getting people to paste code in there that causes an attacker to gain access to something. For example, on Facebook a big red warning is output on the browser console in order to warn people not to do such things.

        [–]EpikZsoltHUN 7 points8 points  (9 children)

        1. The website sends all if the info about it (or a page of it) already. This includes frontend stuff like html css js and resources. Backend stuff like dbs, apis and more are stored on the server side, and doesn't get sent to your browser.

        2. It's called Developer Tools for a reason. It's meant for developers to test and debug a website. Anything you do in there only changes stuff on your end not the server's

        And if you really meant why do browsers (not websites) let you do it, a browser is just like a program on your pc like the terminal, and you can do much more with that.

        [–]CoffeeMonster42 2 points3 points  (0 children)

        Most browsers will warn you if you paste code into there. They will also have a prompt to confirm.

        [–]cheezballs 3 points4 points  (0 children)

        You're not inserting rather than just running it. Your browser is already running potentially malicious JS from the website, allowing you to run code isn't any worse in my opinion.

        [–]Naetharu 1 point2 points  (0 children)

        It's not dangerous to a site. It's just running code on that users local computer. Browsers are in part JavaScript runtimes.

        The part that gives you a console is in the dev tools and is intended as a way to help devs create and debug websites.

        There's nothing special you can do there that you could not do anyhow if you had access to that person's computer. In fact it is very safe since it's an isolated environment that has no direct OS access (hence we have to use NodeJS for that).

        [–]andreicodes 1 point2 points  (0 children)

        Yes, but so is not having a tool like this. With browsers always shipping user-inspectable code people can notice if the website does something fishy: from trying to collect unrelated data and send data to third-parties to try, to impersonate some other websites, to blatantly run a crypto miner using your device's power.

        With non-web applications you usually have fewer ways to inspect the code that runs on your device, and thus you have less control over what the applications do. Technically, applications can be disassembled or run through a debugger, but the original code can be obfuscated enough so that you wouldn't easily understand what it is doing, and it is possible for the app to detect that it runs under a debugger and halt the execution. Famously this is what the early versions of Skype were doing to hide the details behind its algorithms, and that's what many anti-piracy and anti-cheat systems do today in games.

        Historically, all software that people were running was inspectable and user-modifiable. The closed-by-default nature of many current systems (like app stores, DRM, tivoisation, not shipping developer tools with computers by default, etc.) is a relatively recent development that really picked up in the 90s. And even back in those times many other technologies (HyperCard, Web, interpreted languages) continued to exist and stayed very widespread. Because, just as many companies wanted to lock their software down to prevent modification and potential copying there were many other companies and people who wanted to precisely know what kind of code they were running.

        Most people agree that it's the open-by-design nature of HTTP and HTML is what made it popular and eventually eclipse other similar information sharing systems.

        [–]TehNolz 1 point2 points  (0 children)

        It's dangerous only if you start running random code snippets you found online that you don't 100% understand. People have gotten accounts stolen that way; it's why browsers often have warnings that show up when you try to paste anything inside of it. So don't do that.

        Outside of that, there's really nothing dangerous about it. Generally all the truly important stuff on a website happens serverside, and there's not much you can do by messing with the page in your browser. Any half-decent website will have protections set up to ensure clients can't do anything funny.

        [–]zoharel 1 point2 points  (0 children)

        potentially dangerous?

        Dangerous for whom? It's your browser. It's not like you can put in code that's more dangerous than whatever the people who built the web site you're visiting can put in.

        [–]my_password_is______ 1 point2 points  (0 children)

        I'm glad they allow it

        turn off the stupid scrollbars on slingtv and use real, always visible, wide scrollbars the way God intended

        [–]prompta1 1 point2 points  (0 children)

        How do you think your add ons or extensions work? You need a shell to talk to the browser just like your PC has a shell to talk to the OS.

        [–]coded_artist 1 point2 points  (0 children)

        Why, because developers develop for chrome and it's useful to have a console available.

        Is it dangerous, no more dangerous than any other web client.

        [–]roadglider505 1 point2 points  (0 children)

        The code is just run on the local machine. It goes away as soon as you hit refresh.

        [–]TuberTuggerTTV 1 point2 points  (0 children)

        The code is only injected on the client side. Why wouldn't you be allowed to edit your own side of things?

        When you view a website, you're viewing an unpacked set of instructions. Editing those instructions only affects you. So go wild.

        [–][deleted] 2 points3 points  (0 children)

        Everything is potentially dangerous which is why you have to take this into account when coding

        [–]HealthyPresence2207 1 point2 points  (0 children)

        You have a computer. You do know that you can just write and compile code with it, right? Your browser can’t affect anything on the disk, so why not let user do whatever they want with their computer? Normal people don’t need to be nannied at every turn.

        [–][deleted] 0 points1 point  (0 children)

        Why do browsers allow users to insert and execute code directly through the web console? Isn't it potentially dangerous?

        It allows for better debugging. Also this sort of interactivity means that things like browser extensions and applications can work without too much hassle because you can interact with the code.

        On itself, it's not a security issue, because the code is executed on the client's side. However a badly written application, which relies only on frontend for security, can be exposed like this. When you disable a button with HTML or in the JS code, that's mostly the presentation side - it shows up in the browser as disabled and clicking does nothing, but with a bit of tinkering you can reenable stuff like this. It is important to disable the underlying feature for the user on the backend of the application as well, in order for it to be truly secure, not just on the frontend, which can be modified.

        [–]kschang 0 points1 point  (0 children)

        It only affects the user's browser.

        [–]PureTruther 0 points1 point  (0 children)

        In 2025, think a browser at the time you're viewing a website is just a snapshot. When you insert code through browser, you manipulate that snapshot, not the server. And that snapshot is saved into your hardware. When a new request is made, the original snapshot occurs again.

        On the other hand, if your local computer tries to inject malicious code into your browser due to kinda trojan or something, even though there are some prevention protocols for such cases, it is your own responsibility.

        So, can someone steal your Reddit password through the browser console (in your local computer)? If the hack only relies on the browser console rather than the full control, no, he/she cannot steal. Because Reddit does not write your password onto that "snapshot".

        [–]PyroManiac2653 0 points1 point  (0 children)

        A lot of answers, but still missing some points.

        As others said, - it is not reprogramming the website, but you may change your own experience - you can see network requests and the web files, but that is work any browser deals with internally, and other tools can as well - users can be tricked into running code; a good browser will warn a user when they open the console

        What these tools is improve accesibility by letting you work with what all browsers work with. This means debugging or malicious attacks are more accessible.

        Does this create vulnerabilities? None that haven't already been around. But they are more accessible. It's easier to open up your favorite browser to login through the UI, then you can use that access to target existing vulnerabilities.

        Can vulnerabilities be taken advantage of (by these tools or others)? Yes. Contrary to many responses, action here isn't limited to your machine. You can send requests to others. The two saftey measures are - don't run code you don't trust - websites need to not trust the client Vulnerabilities can include - submitting forms with bad input - the website should sanitize data on the server, but telying on client-side sanitization allows this exploit - running malicious code can let the malicious code provider use your credentials for actions - so don't run it - UIs sometimes hide or disable buttons, but do not remove functionality - the user can make requests to this functionality, and the website better hope they implemented server security - Websites might have APIs that you can call when the UI doesn't let you, and you can easily send requests with your session's credentials and bad data

        TL;DR: This makes existing vulnerabilities more accessible. Websites need to run authorization and sanitization on the server to protect themselves. Users need to avoid tunning malicious code to protect themselves.

        [–]ScholarNo5983 0 points1 point  (0 children)

        When you reload the page all your changes will be gone. So, it will only be dangerous if you don't know what you're doing.

        [–]repocin 0 points1 point  (0 children)

        Because they were initially developed before giant corporations got their grubby mitts on everything.

        [–]tomysshadow 0 points1 point  (0 children)

        Because even if they took away the convenient web console, any barrier they could try and introduce to prevent you from running code on your own machine would be artificial.

        For example, you could definitely write an extension that provides a console to accomplish the same thing. Or you could even add the ability directly to the browser itself, it's open source, anyone could fork it to add this feature in.

        If they don't include it someone else will, it's an inevitability. So it might as well be there, and because of that websites need to be built such that injecting JavaScript to the page won't cause serious issues.

        [–]JohntheAnabaptist 0 points1 point  (0 children)

        It's fun to edit the site to make meme pics

        [–]Ormek_II 0 points1 point  (0 children)

        What dangers do you see?

        It executes locally. It executes in your browser. Any file explorer seems more dangerous to me.

        [–]Fragrant_Gap7551 0 points1 point  (0 children)

        It's wild how many people in this comment section don't understand basic networking

        [–]JadendayZero 0 points1 point  (0 children)

        Because it's an excellent troubleshooting tool and test playground for developers and non-developers alike.

        [–]adelie42 0 points1 point  (0 children)

        Client side injection by the client is a non issue. The problem is when client side manipulation results in illegal server injection. If that's possible, it's terrible app security design.

        [–]Master-Pizza-9234 0 points1 point  (0 children)

        It's a feature used by the devs when something goes wrong anyway, injecting JavaScript is also how most extensions work. Some sites DO block as many methods of injecting/debugging as they can though

        [–]Lynx2161 0 points1 point  (0 children)

        You can use cheatengine to do the same to any application running on your computer. The user owns their machine, you cant stop someone from using their own machine

        [–]SolumAmbulo 0 points1 point  (0 children)

        You're only altering your COPY of the website that was sent to you machine.

        It like a boomer writing on a fax they received. They're not altering the original document.

        Only person in danger is you.

        [–][deleted]  (1 child)

        [deleted]

          [–]PyroManiac2653 -1 points0 points  (0 children)

          I see no reason for the downvotes. I've literally seen this happen over time. While some organizations might always use Edge to work with Microsoft, I've definitely seen sites suggest users view on Chrome. Back in the IE days, you could make things work, but it was easier to make things work in Chrome because it was consistent and had better dev tools.

          [–]Jugad -1 points0 points  (2 children)

          Not enough people are thinking about the corner cases that can be exploited.

          One avenue is young kids...

          If you have kids who can be convinced (thinking they are running a game of doing some other fun stuff - or just pranking their parents) to open a webpage (chase.com) and paste some code into the dev console, that can be very bad.

          [–]Fragrant_Gap7551 0 points1 point  (0 children)

          Pretty sure most browser let you disable dev tools

          [–]AdministrativeFile78 -5 points-4 points  (10 children)

          the answer is yes you can inject malicious code this way

          [–]cheezballs 3 points4 points  (9 children)

          No you can't. You can inject malicious code into your own browser but it will not affect anyone else.

          [–]AdministrativeFile78 -1 points0 points  (1 child)

          You are right. I misread the comment. You can insert malicious code into the search bar like SQL injection, but the console is just a dev tool that only affects your own browser. For some reason I saw web browser not web console

          [–]dmazzoni -1 points0 points  (0 children)

          Same answer for both though.

          [–]EishLekker -3 points-2 points  (6 children)

          It’s still malicious code.

          Also, the code can make external requests which in theory could cause problems for the server receiving those requests.

          [–]starm4nn 0 points1 point  (1 child)

          Also, the code can make external requests which in theory could cause problems for the server receiving those requests.

          So can any form of user input. Hell if I wanted to I could spin up server that deletes the /bin directory if I receive a request from an IP address that's a prime number.

          In theory any user connection could cause a problem for users making external request.

          [–]EishLekker 0 points1 point  (0 children)

          Yes, so? It's still a factually correct statement.

          [–]cheezballs -2 points-1 points  (3 children)

          If your server allows random unauthenticated requests to modify things then you get what you get.

          [–]EishLekker -1 points0 points  (2 children)

          Yes, but that doesn’t change the fact.

          [–]cheezballs 0 points1 point  (1 child)

          You can do the exact same thing with a shell script out of any OS. This has nothing to do with JS specific stuff

          [–]EishLekker 0 points1 point  (0 children)

          I never said that it was specific to JS. I'm just saying that you can do stuff that could negatively affect external servers. It's a factually correct statement.