JavaScript Security.

0 Comment

Cross-Site Vulnerabilities.

A common JavaScript-related security problem is cross-site scripting, or XSS, a violation of the same-origin policy. XSS vulnerabilities occur when an attacker is able to cause a target web site, such as an online banking website, to include a malicious script in the webpage presented to a victim. The script in this example can then access the banking application with the privileges of the victim, potentially disclosing secret information or transferring money without the victim's authorization. A solution to XSS vulnerabilities is to use HTML escaping whenever displaying un trusted data. Some browsers include partial protection against reflected XSS attacks, in which the attacker provides a URL including malicious script. However, even users of those browsers are vulnerable to other XSS attacks, such as those where the malicious code is stored in a database. Only correct design of Web applications on the server side can fully prevent XSS. XSS vulnerabilities can also occur because of implementation mistakes by browser authors. Another cross-site vulnerability is cross-site request forgery or CSRF. In CSRF, code on an attacker's site tricks the victim's browser into taking actions the user didn't intend at a target site (like transferring money at a bank). It works because, if the target site relies only on cookies to authenticate requests, then requests initiated by code on the attacker's site will carry the same legitimate login credentials as requests initiated by the user. In general, the solution to CSRF is to require an authentication value in a hidden form field, and not only in the cookies, to authenticate any request that might have lasting effects. Checking the HTTP Referrer header can also help. "JavaScript hijacking" is a type of CSRF attack in which a <script> tag on an attacker's site exploits a page on the victim's site that returns private information such as JSON or JavaScript. Possible solutions include:
  • requiring an authentication token in the POST and GET parameters for any response that returns private information.

  • Misplaced Trust In The Client.

    Developers of client-server applications must recognize that un trusted clients may be under the control of attackers. The application author cannot assume that his JavaScript code will run as intended (or at all) because any secret embedded in the code could be extracted by a determined adversary. Some implications are:
    • Web site authors cannot perfectly conceal how their JavaScript operates because the raw source code must be sent to the client. The code can be obfuscated, but obfuscation can be reverse-engineered.
    • JavaScript form validation only provides convenience for users, not security. If a site verifies that the user agreed to its terms of service, or filters invalid characters out of fields that should only contain numbers, it must do so on the server, not only the client.
    • Scripts can be selectively disabled, so JavaScript can't be relied on to prevent operations such as right-clicking on an image to save it.
    • It is extremely bad practice to embed sensitive information such as passwords in JavaScript because it can be extracted by an attacker.

Browser And Plugin Coding Errors.

JavaScript provides an interface to a wide range of browser capabilities, some of which may have flaws such as buffer overflows. These flaws can allow attackers to write scripts which would run any code they wish on the user's system. This code is not by any means limited to another JavaScript application. For example, a buffer overrun exploit can allow an attacker to gain access to the operating system's API with superuser privileges.
These flaws have affected major browsers including Firefox, Internet Explorer, and Safari.
Plugins, such as video players, Adobe Flash, and the wide range of ActiveX controls enabled by default in Microsoft Internet Explorer, may also have flaws exploitable via JavaScript (such flaws have been exploited in the past).
In Windows Vista, Microsoft has attempted to contain the risks of bugs such as buffer overflows by running the Internet Explorer process with limited privileges. Google Chrome similarly confines its page renderers to their own "sandbox". 

Sandbox Implementation Errors.

Web browsers are capable of running JavaScript outside the sandbox, with the privileges necessary to, for example, create or delete files. Of course, such privileges aren't meant to be granted to code from the web.
Incorrectly granting privileges to JavaScript from the web has played a role in vulnerabilities in both Internet Explorer. and Firefox. In Windows XP Service Pack 2, Microsoft demoted JScript's privileges in Internet Explorer.
Microsoft Windows allows JavaScript source files on a computer's hard drive to be launched as general-purpose, non-sand boxed programs (see: Windows Script Host). This makes JavaScript (like VB Script) a theoretically viable vector for a Trojan horse, although JavaScript Trojan horses are uncommon in practice. 

Uses Outside Web Pages.

In addition to web browsers and servers, JavaScript interpreters are embedded in a number of tools. Each of these applications provides its own object model which provides access to the host environment. The core JavaScript language remains mostly the same in each application.

Embedded Scripting Language.

  • Google's Chrome extensions, Opera's extensions, Apple's Safari 5 extensions, Apple's Dashboard Widgets, Microsoft's Gadgets, Yahoo! Widgets, Google Desktop Gadgets, and Serence Klipfolio are implemented using JavaScript.
  • The MongoDB database accepts queries written in JavaScript. MongoDB and NodeJS are the core components of MEAN: a solution stack for creating web applications using just JavaScript.
  • Adobe's Acrobat and Adobe Reader support JavaScript in PDF files.
  • Tools in the Adobe Creative Suite, including Photoshop, Illustrator, Dreamweaver, and In Design, allow scripting through JavaScript.
  • OpenOffice.org, an office application suite, allows JavaScript to be used as a scripting language.
  • The interactive music signal processing software Max/MSP released by Cycling '74, offers a JavaScript model of its environment for use by developers. It allows much more precise control than the default GUI-centric programming model.
  • Apple's Logic Pro X digital audio workstation (DAW) software can create custom MIDI effects plugins using JavaScript.
  • ECMAScript was included in the VRML97 standard for scripting nodes of VRML scene description files.
  • The open-source Re-Animator framework allows developing 2D sprite-based games using JavaScript and XML. 
  • The Unity game engine supports a modified version of JavaScript for scripting via Mono.
  • DX Studio (3D engine) uses the Spider Monkey implementation of JavaScript for game and simulation logic.
  • Maxwell Render (rendering software) provides an ECMA standard based scripting engine for tasks automation.
  • Google Apps Script in Google Spreadsheets and Google Sites allows users to create custom formulas, automate repetitive tasks and also interact with other Google products such as Gmail.
  • Many IRC clients, like Chat Zilla or XChat, use JavaScript for their scripting abilities.
  • SpinetiX products use the Spider Monkey JavaScript engine to allow scripting within SVG files to create digital signage projects.

  • Scripting Engine.

    • Microsoft's Active Scripting technology supports JScript as a scripting language.
    • The Java programming language introduced the javax.script package in version 6 that includes a JavaScript implementation based on Mozilla Rhino. Thus, Java applications can host scripts that access the application's variables and objects, much like web browsers host scripts that access a webpage's Document Object Model(DOM).
    • The Qt C++ toolkit includes a QtScript module to interpret JavaScript, analogous to Java's javax.script package.
    • JSDB (JavaScript for Databases) is an open-source JavaScript shell for Windows, Mac OS X, Linux, and Unix, which extends the Mozilla JavaScript engine with file, database, email, and network objects.
    • jslibs is an open-source JavaScript shell for Windows and Linux which extends the Mozilla JavaScript engine. It has the ability to call functions in commonly used libraries like NSPR, SQLite, libTomCrypt, OpenGL, OpenAL, and librsvg.
    • Late Night Software's JavaScript OSA (aka JavaScript for OSA, or JSOSA) is a freeware alternative to Apple Script for Mac OS X. It is based on the Mozilla 1.5 JavaScript implementation, with the addition of a MacOS object for interaction with the operating system and third-party applications. 

    • Application Platform.

      • Action Script, the programming language used in Adobe Flash, is another implementation of the ECMAScript standard.
      • Adobe Integrated Run time is a JavaScript run time that allows developers to create desktop applications.
      • CA, Inc.'s Auto Shell cross-application scripting environment is built on the Spider Monkey Javascript engine. It contains pre processor-like extensions for command definition, as well as custom classes for various system-related tasks like file I/O, operation system command invocation and redirection, and COM scripting.
      • GNOME Shell, the shell for the GNOME 3 desktop environment, made JavaScript its default programming language in 2013.
      • The Mozilla platform, which underlies Firefox, Thunderbird, and some other web browsers, uses JavaScript to implement the graphical user interface (GUI) of its various products.
      • my NFC is a JavaScript based framework that allows developers to create applications for smart phones.
      • Qt Quick's markup language (available since Qt 4.7) uses JavaScript for its application logic. Its declarative syntax is also similar to JavaScript.
      • Type Script is a programming language based on JavaScript that adds support for optional type annotations and some other language extensions such as classes, interfaces and modules. A TS-script compiles into plain JavaScript and can be executed in any JS host supporting ECMAScript 3 or higher. The compiler is itself written in Type Script.
      • Ubuntu Touch provides a JavaScript API for its unified usability interface.
      • web OS uses the Web Kit implementation of JavaScript in its SDK to allow developers to create stand-alone applications solely in JavaScript.
      • Win JS provides a special Windows Library for JavaScript functionality in Windows 8 that enables the development of Modern style (formerly Metro style) applications in HTML5 and JavaScript. 

      • Micro Controllers.

        As the specifications of Micro controllers have increased over the last few years, it has become possible to use JavaScript to control hardware in embedded devices. There are currently two main implementations:
        • Espruino is a JavaScript interpreter for low power micro controllers
        • Tessel is a microcontroller board with built-in WiFi

SHARE THIS
Unknown

Author:

Previous Post
Next Post
Subscribe to: Post Comments (Atom)