On a webpage I have been working on, we can archive certain webpages for a user.
ID: 658327 • Letter: O
Question
On a webpage I have been working on, we can archive certain webpages for a user. The user can give an address and this webpage is than visited on the server and archived. Lately, I noticed that JavaScript is turned on.
Obviously, the client can execute any JavaScript on the server. Now my question is - what vulnerabilities are exposed by allowing the client to execute arbitrary JavaScript on the Server.
The webpage is not only archived, but also all scripts are run for at most 200 milliseconds, after which a screenshot is taken.
Is it dangerous to allow clients to run JavaScript on a Server?
Explanation / Answer
If any of the pages you've archived on your server contain malicious code targeting webkit vulnerabilities (remember, wkhtmltopdf runs on webkit), it's theoretically possible this will result in a security breach on your server upon running the page through wkhtmltopdf.
The implication here being that malicious code that would normally target your users' client machines is now de facto attacking your server, you'll have to decide for yourself how you rate this risk.