Welcome to WebmasterWorld Guest from 54.226.238.178

Forum Moderators: mack

Message Too Old, No Replies

Javascript hack

Is Javascript dangerous

     
2:53 am on Apr 19, 2008 (gmt 0)

New User

5+ Year Member

joined:Apr 6, 2008
posts: 20
votes: 0


I'm taking a class where one of the students says, "I went to a 'security' workshop where a professional hacker told us how easy it is for him to hack javascript - now I'm almost afraid to use it."

Any takes on this?

2:58 am on Apr 19, 2008 (gmt 0)

Senior Member from MY 

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 1, 2003
posts:4847
votes: 0


I advise you to never write javascript for a public website if you would not describe yourself as an advanced javascript programmer. There are far too many ways to make mistakes which open your site up to XSS and even worse things.
1:59 pm on Apr 20, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Mar 26, 2008
posts:127
votes: 0


my understanding was that since Jscript mostly just played in its own sandbox, it was like an extra layer of protection rather than the reverse.

of course, with jscript, it is out there for everyone to look at your code, and have fun with it if they can get into it.

Of course, from my reading, the basic rule is don't take anything from any user without sanitizing and verifying it, and while malicious is always there, stupid can be more dangerous.

4:10 pm on Apr 20, 2008 (gmt 0)

New User

5+ Year Member

joined:Apr 6, 2008
posts:20
votes: 0


"my understanding was that since Jscript mostly just played in its own sandbox, it was like an extra layer of protection rather than the reverse."

versus:

"I advise you to never write javascript for a public website if you would not describe yourself as an advanced javascript programmer."

hmmm...

2:53 pm on Apr 27, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 19, 2006
posts:147
votes: 0


hmmm...

What are you thinking?

3:12 pm on Apr 27, 2008 (gmt 0)

Senior Member

joined:Jan 27, 2003
posts:2534
votes: 0


Typically javascript is not used for anything that is substantially dangerous to a target website. My opinion is that's a good idea - anything potentially dangerous to a website owner should be done server-side (and it most cases it probably has to be anyway). This is perhaps changing a bit with AJAX, I suppose.

If you ask me, javascript security is more of a concern to end users/browsers than people authoring scripts.

Note that there's a big difference between java and javascript, and a small difference between jscript and javascript.

4:02 pm on Apr 27, 2008 (gmt 0)

New User

5+ Year Member

joined:Apr 6, 2008
posts:20
votes: 0


So, if I'm reading this correctly: The potential hazard with javascript (also known as jscript?) is that the visitor to a site could get hijacked to an undisclosed location. True story?
4:26 pm on Apr 27, 2008 (gmt 0)

Senior Member

joined:Jan 27, 2003
posts:2534
votes: 0


Javascript is client side which means it's all run within the context of the web browser a user has. This limits it's uses, and the potential damage. The risk to users is stealing data (e.g. cookies) or fooling them into loading unsafe resources (e.g. viruses or malware). This would be as a result of a malicious website operator, or by a hacker injecting code into a third party site.

Unless a webmaster uses javascript for inappropriate things (e.g. for validating credentials) then I don't see much of a risk factor, but I'm no expert by any means.