News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Looking for info on JavaScript Exploits

Started by Jack.R.Abbit™, August 26, 2004, 11:02:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Jack.R.Abbit™

August 26, 2004, 11:02:12 AM
Let me start by saying I don't really want actual code and would suggest that admins/mods remove any that are posted... I am simply doing some research.  I am currently in a discussion with others where the topic of the danger of Active X was raised.  Another has suggested that you can't bring up the danger of Active X without also the danger of JavaScript.  I've always been one to think that the danger of JavaScript is grossly over stated.  I've been known to criticize those that have JavaScript disabled for being paranoid.  But before I get myself too deep in it, I'd like to know a bit more.  I've been known to be wrong.  :)

If JavaScript is so dangerous, I'd like to know just how dangerous.  And I don't really consider using normal JavaScript to exploit a web site as the same thing.  I've personally discovered a way to use JavaScript to harvest login cookies from ezBoards many years ago, but I view that as a problem with ezBoard not JavaScript (I reported it BTW).  I've searched all over and the only things I find are documents written like 5 years ago (a lifetime in web-years) that only rant about JavaScript being so dangours because it executes code on your machine.  Huh?  AFAIK, JavaScript has not the permission to interact with much of anything on your computer.  I'm looking for specific, concrete exploits that are malicious... not simple paranoid rants.

So... can any one put some light on this subject?

[Unknown]

#1
August 26, 2004, 03:48:16 PM
As long as you use a proper browser, and don't allow code insertion on your own site, JavaScript is not a security problem.

You always have to be aware though, especially on forums - because if the user can get it into your forum, they can harvest cookies... that's just how it is.  JavaScript can also be used to make things dissapear - such as the remove topic button.

But again, JavaScript on proper browsers doesn't have the ability, permission, or power to interact with the client computer.  It's in the "sandbox" so to speak... which is a very good thing for the internet.

However, there is another issue if you're not aware.  JavaScript can be used to log keystrokes, or to check for passwords in the clipboard.  If you copied, say, your ftp address for your site (with login information) and then browsed a site with IE... it could steal this information.  Opera and Mozilla do not allow, to my recollection, this to happen.

So, yes, there are security issues with everything.  Even HTML has security issues - I could use it, in cases, to crash your browser... leading to dataloss.  Even this is "warfare".

So... you're never safe.  But, if you're going to live cowering in the corner with a gun all your life.... why bother living?

-[Unknown]

Jack.R.Abbit™

#2
August 26, 2004, 06:48:16 PM
ok.. so I'm not too far off.

Out of all of that... the part that most interests me is the "JavaScript can be used to log keystrokes".  I did not know this.  Is it done easily?  Under what conditions?

More background ont he discussion.  The actual discussion is about switching from IE to Mozilla.  One has stated the danger of ActiveX as a good reason to switch.  This was countered with "well what about JavaScript?"  My thought was that what ever dangers there are with JavaScript, they'd mostly (if not all) go away with the switch to Mozilla as well.  Perhaps this person accidently gave a good reason to switch with out knowing.  :)

[Unknown]

#3
August 26, 2004, 09:14:16 PM
Well, there are a few things... and they are better with Mozilla imho.  Why do you think I use Mozilla Firefox?

For the most part, it's fine.  Security with ActiveX is a pain though, because technically all you have to do to "sell your soul" is click "OK" - and a lot of people do that accidentally.  It can happen without even meaning to, ie. by typing.

The thing about Mozilla is they are sensitive about this (Microsoft is too!) but ALSO that they react faster.  If you need it solved, and you need it solved yesterday.... they can fix it and you can get a nightly build.  Problem solved.  Maybe not perfect, but it's better than before.

For example.... Mozilla has something like ActiveX - "xpinstall" or cross platform install.  This you have to "OK" as well, and then restart your browser to use.... but you can't click OK for three seconds.  Why?  So no one can fool you into accidentally typing O or SPACE, or clicking in the spot.  Because they realize that's a problem.

The bar SP2 includes is also a good solution to that same problem.... but Mozilla has had their solution out to the public longer.

As far as keylogging... you can get keystrokes with js, so you can log them to.  If I can get something in a variable with javascript, I can log it somewhere - except on Opera.

As for Opera... it may be more secure, in ways, simply because it supports nothing.  Not to insult it, but you can't do things in it that you can in Mozilla and IE - and this makes it so things can't be as cool.... but also things can be more secure.

So, I'd say SP2 has made great bounds towards better security.... don't forget that; but Mozilla is still on top imho ;).

-[Unknown]
Print
Go Up Pages1
User actions
Advertisement: