homepage Welcome to WebmasterWorld Guest from 54.211.68.132
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / New To Web Development
Forum Library, Charter, Moderators: brotherhood of lan & mack

New To Web Development Forum

    
Javascript hack
Is Javascript dangerous
snsetd

5+ Year Member



 
Msg#: 3630282 posted 2:53 am on Apr 19, 2008 (gmt 0)

I'm taking a class where one of the students says, "I went to a 'security' workshop where a professional hacker told us how easy it is for him to hack javascript - now I'm almost afraid to use it."

Any takes on this?

 

vincevincevince

WebmasterWorld Senior Member vincevincevince us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3630282 posted 2:58 am on Apr 19, 2008 (gmt 0)

I advise you to never write javascript for a public website if you would not describe yourself as an advanced javascript programmer. There are far too many ways to make mistakes which open your site up to XSS and even worse things.

Baruch Menachem

5+ Year Member



 
Msg#: 3630282 posted 1:59 pm on Apr 20, 2008 (gmt 0)

my understanding was that since Jscript mostly just played in its own sandbox, it was like an extra layer of protection rather than the reverse.

of course, with jscript, it is out there for everyone to look at your code, and have fun with it if they can get into it.

Of course, from my reading, the basic rule is don't take anything from any user without sanitizing and verifying it, and while malicious is always there, stupid can be more dangerous.

snsetd

5+ Year Member



 
Msg#: 3630282 posted 4:10 pm on Apr 20, 2008 (gmt 0)

"my understanding was that since Jscript mostly just played in its own sandbox, it was like an extra layer of protection rather than the reverse."

versus:

"I advise you to never write javascript for a public website if you would not describe yourself as an advanced javascript programmer."

hmmm...

scraptoft

5+ Year Member



 
Msg#: 3630282 posted 2:53 pm on Apr 27, 2008 (gmt 0)

hmmm...

What are you thinking?

Receptional Andy



 
Msg#: 3630282 posted 3:12 pm on Apr 27, 2008 (gmt 0)

Typically javascript is not used for anything that is substantially dangerous to a target website. My opinion is that's a good idea - anything potentially dangerous to a website owner should be done server-side (and it most cases it probably has to be anyway). This is perhaps changing a bit with AJAX, I suppose.

If you ask me, javascript security is more of a concern to end users/browsers than people authoring scripts.

Note that there's a big difference between java and javascript, and a small difference between jscript and javascript.

snsetd

5+ Year Member



 
Msg#: 3630282 posted 4:02 pm on Apr 27, 2008 (gmt 0)

So, if I'm reading this correctly: The potential hazard with javascript (also known as jscript?) is that the visitor to a site could get hijacked to an undisclosed location. True story?

Receptional Andy



 
Msg#: 3630282 posted 4:26 pm on Apr 27, 2008 (gmt 0)

Javascript is client side which means it's all run within the context of the web browser a user has. This limits it's uses, and the potential damage. The risk to users is stealing data (e.g. cookies) or fooling them into loading unsafe resources (e.g. viruses or malware). This would be as a result of a malicious website operator, or by a hacker injecting code into a third party site.

Unless a webmaster uses javascript for inappropriate things (e.g. for validating credentials) then I don't see much of a risk factor, but I'm no expert by any means.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / New To Web Development
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved