Javascript : Boon or Bane

Can you imagine websites without JavaScript? It is very inconvenient viewing websites without JavaScript. Despite many security concerns with JavaScript, even Adobe will not alienate JavaScript from its PDF Reader. Javascript enables lively and interactive content on websites, but it provides a great platform for malware distribution. Javascript opens doors for many browser-based attacks which can circumvent the protection offered by a number of current security products.

Javascript security is evolving to address security concerns through excluding support for certain capabilities, restricted features, the “same origin” policy, security zones, and signed scripts. They have sought to address the prime source of malware distribution and browser based attacks.  Kaspersky Labs reported that 0.64% of websites are infected with malicious javascript i.e., one in every 150 sites are infected in 2009. These websites are implanted or compromised to include malicious scripts, so as to infect users visiting the site. The malicious script when executed on a user’s browser can come in the form of an iframe, a browser exploit or an external malicious script. Malicious scripts are often obfuscated to thwart script analysis. Sometimes they are embedded in Base 64 encoding that prevents detection from security software.

Websites can become infected by injection of malicious scripts via SQL Injection or when a web developers system is infected with password stealing trojan When web developers discover that sites they are responsible for are compromised, they should not only clean the files but also change their credentials. With the advent of free hosting and blogging, it is easy for most individuals to setup a website and proper security mechanisms are not necessarily followed during the development and deployment of many websites. The high infection rate of websites in turn aids the rise of BOTNETS. Since many websites are easily built with little knowledge of web programming, they are often vulnerable to the injection of a malicious script by an attacker.

Users are advised to have one browser with Javascript disabled and use it for non trusted websites. Also It is always advised to use SCP/SSH/SFTP to upload files instead of FTP.


About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Articles, security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s