computer security

Discussion in 'Computer Security' started by ram charanthej, Aug 23, 2010.

  1. Javascript: what it is and why you should be concerned Options
    There are currently too many topics in this group that display
    first. To make this topic appear first, remove this option from
    another topic.
    There was an error processing your request. Please try again.
    Standard view View as tree
    Proportional text Fixed text



    13 messages - Expand all - Translate all to Translated (View
    all originals) - Report discussion as spam
    Reporting discussion
    Messages reported


    The group you are posting to is a Usenet group. Messages posted to
    this group will make your email address visible to anyone on the
    Internet.
    Your reply message has not been sent.
    Your post was successful
    Cancel






    Send Discard




    From:
    To:
    Cc:
    Followup To:
    Add Cc | Add Followup-to | Edit Subject

    Subject:



    Validation: For verification purposes please type the characters you
    see in the picture below or the numbers you hear by clicking the
    accessibility icon.

    Send Discard




    Bottom Line Computer View profile
    More options May 17 2004, 7:05 pm

    Newsgroups: alt.computer.security, comp.security, misc.consumers
    From: Bottom Line Computer <>
    Date: Mon, 17 May 2004 09:05:40 -0500
    Local: Mon, May 17 2004 7:05 pm
    Subject: Javascript: what it is and why you should be concerned
    Reply to author | Forward | Print | Individual message | Show original
    | Report this message | Find messages by this author
    What it is:

    Javascript is a feature of browsers which is supposed to make
    possible all sorts of interesting features in a Web site.
    Unfortunately, few of these features are actually useful to the
    end user, and many are undesireable. It is what is called a
    client-side scripting language. Another such language is VBScript.


    Usually, Javascript is enabled in your browser, unless you explicitly
    turn it off.


    What it's supposed to be good for:


    Javascript is commonly used to implement flashy features of
    marginal utility such as mouseovers. Mouseovers are when you move
    your mouse over something on a Web page and something happens, such
    as
    maybe that something changes appearance, or maybe a little menu pops
    up.


    Javascript can be used to create highly interactive games on the Web.


    Javascript is also used to do client-side validation of input in
    forms.
    The idea is your own browser checks that everything you typed in on
    the
    form is valid before it sends it to the server.


    Javascript can be used to create guestbooks, calendars and the like.


    Finally, Javascript is used to create popups and popunders.


    What's wrong with it:


    For starters, Javascript is used to create popups and popunders.
    Advertizers love them, as a way of getting in your face. But
    computer
    users hate them, because they're annoying. Also some malicious Web
    sites use Javascript to fill your screen with hundreds of popups
    that you can't get rid of.


    Even worse, Javascript is full of security vulnerabilities. Using
    Javascript, a dishonest Web site can get your private information,
    such as <em>passwords</em> and <em>credit card</em> information, off
    your computer without your knowledge or consent. When a crook grabs
    your
    credit card info, it's as bad as if he had stolen your credit card.
    He can run up a huge bill and destroy your credit rating.
    http://search.cert.org/query.html?rq=0&col=certadv&col=incnotes&col=r...
    Here's a list
    of some of the possible ways this can be done. And below are some
    quick links to reported vulnerabilities:


    http://news.netcraft.com/archives/2004/04/01/new_phishing_scam_prompt...
    New Phishing Scam Prompts Warnings


    http://www.cert.org/advisories/CA-1997-20.html CERT? Advisory
    CA-1997-20 JavaScript Vulnerability


    http://www.kb.cert.org/vuls/id/184820 Adobe Acrobat does not
    adequately validate Acrobat JavaScript


    http://www.kb.cert.org/vuls/id/255915 WebBoard does not adequately
    validate user input thereby permitting arbitrary JavaScript execution


    http://www.kb.cert.org/vuls/id/642239 Lotus Domino Server R5
    vulnerable to Cross-Site Scripting via passing of user input directly
    to default error page


    The list goes on and on, but you get the idea.


    Javascript isn't the only way to create guestbooks, calendars and
    the like. These things can be done entirely on the server.


    Javascript is one of the best ways to put highly interactive games
    on the Web. Is that really worth it?


    Finally, Javascript really isn't the best way to do validation of
    user input. If a Web site expects the browser to validate the input,
    then a malicious user can create a program to feed invalid input to
    the site without using a browser. No browser, no Javascript, and so
    no validation. So you really need to do the validation in the Web
    server anyway.


    Some people say that doing validation on the client with Javascript
    will reduce net traffic. Sorry, I don't buy it. Every time you load
    a
    page with Javascript, you have to download that Javascript code over
    the
    net. This happens even if you have Javascript disabled in your
    browser.
    A lot of these scripts are huge. They make up most of what gets
    transmitted over the net.


    In summary, everything Javascript can do can either be done better
    some
    other way, or is so trivial it's scarcely worth doing.
    And it's http://search.cert.org/query.html?rq=0&col=certadv&col=incnotes&col=r...
    very dangerous .
    It's just not worth it.


    What to do about it:


    It's possible to configure your browser not to support Javascript.
    This sounds like it should solve everything. But there's a catch.
    There are a lot of sites out there that depend on Javascript to work
    properly.
    They're just put together that way. There are ways to put together
    these sites without needing Javascript, but the people who put these
    sites together didn't bother. http://www.hotmail.com/ Hotmail
    is one offender.


    So what you need is a strategy to cope with Javascript.
    Here's what I suggest:<ul>
    <li>Disable Javascript in your main browser.
    <li>Avoid using sites that require Javascript, as much possible.
    <li>Keep a second browser on your system that has Javascript enabled.
    <li>Use the Javascript-enabled browser for those sites which require
    Javascript,
    and which you absolutely must use. Use it <em>only</em> for these
    sites.
    <li>Try to set up your Javascript-enabled browser not to store its
    cookies on disk.
    Failing that, delete all cookies after every use of that browser.
    <li><em>Raise a ruckus</em>. Complain about every site that requires
    Javascript.
    If they ask why, point them to this page.
    Remember, there is no good reason why any site has to be made to
    require Javascript.
    <li>Spread the word.
    </ul>


    It's not just me:


    http://www.panix.com/~aahz/javascript.html Anti-Javascript FAQ


    http://linuxmafia.com/faq/Web/opti.html "This page optimized
    for ..." - arguing with customers -


    Final notes:


    It's entirely possible to make a site that uses Javascript, but does
    not require it. Such a site will have some frilly extra features if
    you
    have Javascript enabled in your browser. But if you disable
    Javascript,
    the site will still be perfectly usable. I have no great objection
    to
    such sites. But sites that <em>require</em> you to have Javascript
    enabled in order to use them at all are inexcusable.


    VBScript, the other client-side scripting language,
    http://search.cert.org/query.html?rq=0&col=certadv&col=incnotes&col=r...
    also has serious problems .
    It's less widespread than Javascript, which is good. But it's not a
    substitute for Javascript. It's just the same headache by a
    different
    name. And it requires Internet Explorer, which is the most insecure
    browser in common use.


    http://techsupp.blcss.com/#nojavascript Home link


    Southern New Hampshire residents: don't throw away that old broken
    computer.
    Call us first: 603-244-1652. If we can't fix it cheap, we'll take it
    off your hands.


    ..
    ram charanthej, Aug 23, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    4
    Views:
    742
  2. Replies:
    0
    Views:
    636
  3. COMSOLIT Messmer

    IT-Security, Security, e-security

    COMSOLIT Messmer, Sep 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    575
    COMSOLIT Messmer
    Sep 5, 2003
  4. Kaputnik

    home computer vs. work computer security

    Kaputnik, Aug 23, 2003, in forum: Computer Security
    Replies:
    6
    Views:
    689
    Chuck G.
    Aug 25, 2003
  5. Jim Watt
    Replies:
    0
    Views:
    579
    Jim Watt
    Apr 27, 2008
Loading...

Share This Page