Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > computer security

Reply
Thread Tools

computer security

 
 
ram charanthej
Guest
Posts: n/a
 
      08-23-2010
Javascript: what it is and why you should be concerned Options
There are currently too many topics in this group that display
first. To make this topic appear first, remove this option from
another topic.
There was an error processing your request. Please try again.
Standard view View as tree
Proportional text Fixed text



13 messages - Expand all - Translate all to Translated (View
all originals) - Report discussion as spam
Reporting discussion
Messages reported


The group you are posting to is a Usenet group. Messages posted to
this group will make your email address visible to anyone on the
Internet.
Your reply message has not been sent.
Your post was successful
Cancel






Send Discard




From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject

Subject:



Validation: For verification purposes please type the characters you
see in the picture below or the numbers you hear by clicking the
accessibility icon.

Send Discard




Bottom Line Computer View profile
More options May 17 2004, 7:05 pm

Newsgroups: alt.computer.security, comp.security, misc.consumers
From: Bottom Line Computer <(E-Mail Removed)>
Date: Mon, 17 May 2004 09:05:40 -0500
Local: Mon, May 17 2004 7:05 pm
Subject: Javascript: what it is and why you should be concerned
Reply to author | Forward | Print | Individual message | Show original
| Report this message | Find messages by this author
What it is:

Javascript is a feature of browsers which is supposed to make
possible all sorts of interesting features in a Web site.
Unfortunately, few of these features are actually useful to the
end user, and many are undesireable. It is what is called a
client-side scripting language. Another such language is VBScript.


Usually, Javascript is enabled in your browser, unless you explicitly
turn it off.


What it's supposed to be good for:


Javascript is commonly used to implement flashy features of
marginal utility such as mouseovers. Mouseovers are when you move
your mouse over something on a Web page and something happens, such
as
maybe that something changes appearance, or maybe a little menu pops
up.


Javascript can be used to create highly interactive games on the Web.


Javascript is also used to do client-side validation of input in
forms.
The idea is your own browser checks that everything you typed in on
the
form is valid before it sends it to the server.


Javascript can be used to create guestbooks, calendars and the like.


Finally, Javascript is used to create popups and popunders.


What's wrong with it:


For starters, Javascript is used to create popups and popunders.
Advertizers love them, as a way of getting in your face. But
computer
users hate them, because they're annoying. Also some malicious Web
sites use Javascript to fill your screen with hundreds of popups
that you can't get rid of.


Even worse, Javascript is full of security vulnerabilities. Using
Javascript, a dishonest Web site can get your private information,
such as <em>passwords</em> and <em>credit card</em> information, off
your computer without your knowledge or consent. When a crook grabs
your
credit card info, it's as bad as if he had stolen your credit card.
He can run up a huge bill and destroy your credit rating.
http://search.cert.org/query.html?rq...incnotes&col=r...
Here's a list
of some of the possible ways this can be done. And below are some
quick links to reported vulnerabilities:


http://news.netcraft.com/archives/20...ng_scam_prompt...
New Phishing Scam Prompts Warnings


http://www.cert.org/advisories/CA-1997-20.html CERT? Advisory
CA-1997-20 JavaScript Vulnerability


http://www.kb.cert.org/vuls/id/184820 Adobe Acrobat does not
adequately validate Acrobat JavaScript


http://www.kb.cert.org/vuls/id/255915 WebBoard does not adequately
validate user input thereby permitting arbitrary JavaScript execution


http://www.kb.cert.org/vuls/id/642239 Lotus Domino Server R5
vulnerable to Cross-Site Scripting via passing of user input directly
to default error page


The list goes on and on, but you get the idea.


Javascript isn't the only way to create guestbooks, calendars and
the like. These things can be done entirely on the server.


Javascript is one of the best ways to put highly interactive games
on the Web. Is that really worth it?


Finally, Javascript really isn't the best way to do validation of
user input. If a Web site expects the browser to validate the input,
then a malicious user can create a program to feed invalid input to
the site without using a browser. No browser, no Javascript, and so
no validation. So you really need to do the validation in the Web
server anyway.


Some people say that doing validation on the client with Javascript
will reduce net traffic. Sorry, I don't buy it. Every time you load
a
page with Javascript, you have to download that Javascript code over
the
net. This happens even if you have Javascript disabled in your
browser.
A lot of these scripts are huge. They make up most of what gets
transmitted over the net.


In summary, everything Javascript can do can either be done better
some
other way, or is so trivial it's scarcely worth doing.
And it's http://search.cert.org/query.html?rq...incnotes&col=r...
very dangerous .
It's just not worth it.


What to do about it:


It's possible to configure your browser not to support Javascript.
This sounds like it should solve everything. But there's a catch.
There are a lot of sites out there that depend on Javascript to work
properly.
They're just put together that way. There are ways to put together
these sites without needing Javascript, but the people who put these
sites together didn't bother. http://www.hotmail.com/ Hotmail
is one offender.


So what you need is a strategy to cope with Javascript.
Here's what I suggest:<ul>
<li>Disable Javascript in your main browser.
<li>Avoid using sites that require Javascript, as much possible.
<li>Keep a second browser on your system that has Javascript enabled.
<li>Use the Javascript-enabled browser for those sites which require
Javascript,
and which you absolutely must use. Use it <em>only</em> for these
sites.
<li>Try to set up your Javascript-enabled browser not to store its
cookies on disk.
Failing that, delete all cookies after every use of that browser.
<li><em>Raise a ruckus</em>. Complain about every site that requires
Javascript.
If they ask why, point them to this page.
Remember, there is no good reason why any site has to be made to
require Javascript.
<li>Spread the word.
</ul>


It's not just me:


http://www.panix.com/~aahz/javascript.html Anti-Javascript FAQ


http://linuxmafia.com/faq/Web/opti.html "This page optimized
for ..." - arguing with customers -


Final notes:


It's entirely possible to make a site that uses Javascript, but does
not require it. Such a site will have some frilly extra features if
you
have Javascript enabled in your browser. But if you disable
Javascript,
the site will still be perfectly usable. I have no great objection
to
such sites. But sites that <em>require</em> you to have Javascript
enabled in order to use them at all are inexcusable.


VBScript, the other client-side scripting language,
http://search.cert.org/query.html?rq...incnotes&col=r...
also has serious problems .
It's less widespread than Javascript, which is good. But it's not a
substitute for Javascript. It's just the same headache by a
different
name. And it requires Internet Explorer, which is the most insecure
browser in common use.


http://techsupp.blcss.com/#nojavascript Home link


Southern New Hampshire residents: don't throw away that old broken
computer.
Call us first: 603-244-1652. If we can't fix it cheap, we'll take it
off your hands.


..



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet Security Software.(computer internet security) Jim Watt Computer Security 0 04-27-2008 11:43 AM
Accessing higher security level from higher security level nderose@gmail.com Cisco 0 07-11-2005 10:20 PM
Going from higher security level interface to lower security interface- HELP!!! - AM Cisco 4 12-28-2004 09:52 PM
IT-Security, Security, e-security COMSOLIT Messmer Computer Support 0 09-05-2003 08:34 AM
home computer vs. work computer security Kaputnik Computer Security 6 08-25-2003 09:25 PM



Advertisments