Login Register

The Threats that come with JavaScript

By Alex Nimoy Oct. 19, 2019, 9 a.m.

What is Javascript

JavaScript is a high-level, interpreted programming language developed in 1995 and it plays a main role in today’s web. The majority of today’s websites use JavaScript to allow for dynamic web pages and functionalities that would not be possible without JavaScript. Such functionalities websites implement using JavaScript are:

Updating web page content and submitting data without the need for web page reloading.
Validating submitted texts before sending them to the web server.
Animating web page elements.
Providing interactive content in web pages like games and videos. And much more!

This use of JavaScript in web pages is known as client-side, which means that the client (typically the web browser) is what ultimately runs the code; this is the most common use for JavaScript. When a web browser requests a web page from a website, the JavaScript code is included in the HTML file that is sent back by the website. Modern web browsers have JavaScript engines implemented within them that interpret and execute the received scripts. The JavaScript code is either executed immediately by the web browser or when the user makes a certain action.

JavaScript enhances users’ web experience by making web pages more than just static display of information. It also helps decrease pressure on web servers by making web browsers do some of the work related to them such as submission validation. However, as computing history has proved over the years more functionality often means more security issues.

Security Issues

Because it’s the end user’s web browser that is responsible for executing JavaScript, security concerns arise. JavaScript is technically a general purpose programming language that can do almost anything other languages like C and Java (Java and JavaScript are two different things) can do. The notion that our web browsers will run scripts that can do about anything and are received from foreign web servers can be frightening; it somewhat should be as JavaScript is a common vector for bad actors. This, however, does not mean that JavaScript is particularly bad, it’s just that it can be abused for malicious activities, as is the case with virtually every other computer technology.

At the risk of being repetitive, our browsers will run scripts retrieved from foreign web servers, and therefore it’s only logical that there should be restrictions in the web browser to rule how these scripts will run. Two popular restrictions implemented in most web browsers are sandboxes and same-origin policy. With sandboxes, a script will run in a sandbox in which it’s given limited privileges and resources. This means scripts won’t be able to run “outside” the web browser, and thus can’t do general purpose operations, e.g. create or access local files in the client’s machine. In same-origin policy, scripts from a certain website can’t access information stored by other websites.

The two concepts are effective, but their implementations are not always perfect. Many vulnerabilities in different implementations of these concepts have been published over the years, but fortunately web browsers developers quickly release updates to patch such security holes. So first thing to consider in defending against malicious JavaScript code is making sure your web browser is always up to date.
Cross-site Scripting (XSS)

Most of the time, the danger of malicious JavaScript code can be averted by visiting only trusted websites. Unfortunately, this does not always hold true. A prevalent JavaScript related attack is called cross-site scripting. If an attacker somehow was able to inject malicious JavaScript code in a legitimate website’s web pages, then every time a user visits that website the attacker’s script will arrive at the visitor’s web browser. This means that the attacker can have access to all the victim’s activity on that specific website. Furthermore, depending on security vulnerabilities on web browsers, the attacker can distribute malware to the large amount of users that visit the compromised website. The responsibility of preventing cross-site scripting lies ultimately on the websites’ developers since web browsers can’t do much about it. Again, trusted and well-established websites typically would put more effort in preventing cross-site scripting.
Privacy Issues

Another misuse of JavaScript is fingerprinting and profiling users’ devices and web browsers. Using JavaScript, websites can get a lot of information on visitors through their web browsers, such as:

Browser type and version, as well as its settings.
Screen resolution.
Available fonts.
Installed browser plugins and extensions. And the list can go on much more.

Surprisingly though, this type of misuse is chiefly deployed by many established websites. Their rationale for this is that they do so to provide better personalized experience for frequent visitors and to use targeted ads. Nonetheless, this still is a privacy violation, and is a big concern for users who specifically favor privacy. Several methods can be used to fend off such violation. Disabling JavaScript completely is considered to be the most effective solution. However, this could have a great impact onbrowsing experience since a lot of functionalities would not be available. Another solution, which is more viable, is the Tor browser. Tor is an anonymization network project and it maintains a privacy dedicated web browser. The Tor web browser is designed to be as indistinctive as possible, and it mainly does so by making all its users have the same footprint. This way, to websites, it would appear as if all Tor browser users were identical, and thus it will be hard for websites to identify them individually.

Do you find this content interesting?
Let us know by leaving a comment and a rating.

Also, don't forget to follow our Official Telegram Channel to stay informed and safe by Reading  NOIRdotNEWS


Please visit our onion version to comment.