If I were malicious (or malicious and thoughtless) I could add some PHP to websites I’m working (or back-end web applications I’m building) that can send some data I’m not authorised to have to my remote server. There are numerous ways to achieve that.
I was wondering: can Javascript do something similar?
For example, is it possible to be spied by using some html/css/javascript web template which will disclose informations from(about) my website – send any kind of information from my website/web app to remote server of malicious developer?
Thanks in advance.
Yes, of course you can send data to other servers using javascript. The difference to your PHP-snippet approach is only that it is executed client-side, at the user’s view of the application. So, you can only leak data that the current user is knowing, and you can only compromise the application with the rights of the current user (and his credentials).
However, it would be more difficult to detect javascript injections (which can also happen clientside or during the transfer) than malicious PHP snippets.