Welcome to WebmasterWorld Guest from 54.167.252.62

Forum Moderators: brotherhood of lan & mack

Message Too Old, No Replies

Javascript hack

Is Javascript dangerous

     
2:53 am on Apr 19, 2008 (gmt 0)

5+ Year Member



I'm taking a class where one of the students says, "I went to a 'security' workshop where a professional hacker told us how easy it is for him to hack javascript - now I'm almost afraid to use it."

Any takes on this?

2:58 am on Apr 19, 2008 (gmt 0)

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I advise you to never write javascript for a public website if you would not describe yourself as an advanced javascript programmer. There are far too many ways to make mistakes which open your site up to XSS and even worse things.
1:59 pm on Apr 20, 2008 (gmt 0)

5+ Year Member



my understanding was that since Jscript mostly just played in its own sandbox, it was like an extra layer of protection rather than the reverse.

of course, with jscript, it is out there for everyone to look at your code, and have fun with it if they can get into it.

Of course, from my reading, the basic rule is don't take anything from any user without sanitizing and verifying it, and while malicious is always there, stupid can be more dangerous.

4:10 pm on Apr 20, 2008 (gmt 0)

5+ Year Member



"my understanding was that since Jscript mostly just played in its own sandbox, it was like an extra layer of protection rather than the reverse."

versus:

"I advise you to never write javascript for a public website if you would not describe yourself as an advanced javascript programmer."

hmmm...

2:53 pm on Apr 27, 2008 (gmt 0)

5+ Year Member



hmmm...

What are you thinking?

3:12 pm on Apr 27, 2008 (gmt 0)



Typically javascript is not used for anything that is substantially dangerous to a target website. My opinion is that's a good idea - anything potentially dangerous to a website owner should be done server-side (and it most cases it probably has to be anyway). This is perhaps changing a bit with AJAX, I suppose.

If you ask me, javascript security is more of a concern to end users/browsers than people authoring scripts.

Note that there's a big difference between java and javascript, and a small difference between jscript and javascript.

4:02 pm on Apr 27, 2008 (gmt 0)

5+ Year Member



So, if I'm reading this correctly: The potential hazard with javascript (also known as jscript?) is that the visitor to a site could get hijacked to an undisclosed location. True story?
4:26 pm on Apr 27, 2008 (gmt 0)



Javascript is client side which means it's all run within the context of the web browser a user has. This limits it's uses, and the potential damage. The risk to users is stealing data (e.g. cookies) or fooling them into loading unsafe resources (e.g. viruses or malware). This would be as a result of a malicious website operator, or by a hacker injecting code into a third party site.

Unless a webmaster uses javascript for inappropriate things (e.g. for validating credentials) then I don't see much of a risk factor, but I'm no expert by any means.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month