Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.3  The Web
           9  2.3.4  Vulnerabilities

Previous Topic/Section
Web Software Flaws
Previous Page
Pages in Current Topic/Section
1
Next Page
2.3.4.2  ActiveX
Next Topic/Section

2.3.4.1  Java Script

Java Script refers to program code which is transmitted to your PC from a web browser, as part of a web page you’ve requested, and which runs as part of the page after being downloaded to your PC.

Java Script

Java Script is human-readable program code that can be included on a web page. When a client PC receives the page, the Java Script code on it runs within the user’s browser.


Java Script can also run on the server side of a web connection, with many of the same vulnerability concerns as CGI, discussed in section 2.3.4.6 … but we’re assuming that this objective refers particularly to client-side Java Script and the data-privacy and data-integrity issues that result on desktops from its use.

Java Script got its name from its resemblance to Java program source code, but the two are no more closely related than that. It is frequently used for displaying an animation when the page loads, highlighting buttons as you move the mouse over them, causing menus to expand or contract when you click on various menu items. In addition to being seen on the web, Java Script is also found in many HTML emails, particularly ads and, most particularly, Spam. As noted earlier in our discussion of Spam, the ability of HTML emails to touch web links and execute script code merely by being displayed in Outlook’s preview pane is a security issue.

This is particularly true because, whether you’re talking about Java Script in an HTML email message, or on a web page, it can sometimes be used to do some more “interesting” things. For example, in certain versions of Netscape’s browser, it can be used to retrieve the contents of users’ “bookmark” files (listing web pages they’ve marked as particularly interesting) and send the info to a server. In versions of another browser, it allows harvesting cached cookies from previously visited sites during that surfing session, and sending them (and any information in them, such as full name, address, SSN, financial data, passwords, etc.) to the nefarious server.

It can also be used to facilitate a type of attack known as cross-site scripting, in which script code is transferred from a web server to the client via an innocent-looking URL, executed on the client, and used to gather information about the user, redirect them to a bogus web site, or (possibly) even to execute commands on the client’s machine. For more information about cross-site scripting, see The Cross-Site Scripting FAQ215.

Although some security sites recommend turning off Java Script support entirely (if your browser allows you to do that) in order to avoid future data privacy compromises, this often impairs the functionality of web pages and is not generally a realistic option.

Java Script code is written in plain text, and can be viewed by anyone who browses to a web page containing it. This has some security implications from the point of view of intellectual property. Any Java Script code appearing in a web page is effectively open source, available for the taking by anyone who thinks a particular effect is “neat”. I’ve seen the same code in one place on the net, with copyright notice in comments, and in a completely different place, with the same script variable names and everything, sans copyright notice.

A specific vulnerability in Java Script was discussed in The Register216


 __________________

215. “The Cross-Site Scripting FAQ”, http://www.cgisecurity.com/articles/xss-faq.shtml

216. http://www.theregister.co.uk/content/55/22949.html

Previous Topic/Section
Web Software Flaws
Previous Page
Pages in Current Topic/Section
1
Next Page
2.3.4.2  ActiveX
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.