22.214.171.124 Java Script
Java Script refers to program code which is transmitted to your PC from a web browser, as part of a web page youve requested, and which runs as part of the page after being downloaded to your PC.
Java Script can also run on the server side of a web connection, with many of the same vulnerability concerns as CGI, discussed in section 126.96.36.199 but were assuming that this objective refers particularly to client-side Java Script and the data-privacy and data-integrity issues that result on desktops from its use.
Java Script got its name from its resemblance to Java program source code, but the two are no more closely related than that. It is frequently used for displaying an animation when the page loads, highlighting buttons as you move the mouse over them, causing menus to expand or contract when you click on various menu items. In addition to being seen on the web, Java Script is also found in many HTML emails, particularly ads and, most particularly, Spam. As noted earlier in our discussion of Spam, the ability of HTML emails to touch web links and execute script code merely by being displayed in Outlooks preview pane is a security issue.
This is particularly true because, whether youre talking about Java Script in an HTML email message, or on a web page, it can sometimes be used to do some more interesting things. For example, in certain versions of Netscapes browser, it can be used to retrieve the contents of users bookmark files (listing web pages theyve marked as particularly interesting) and send the info to a server. In versions of another browser, it allows harvesting cached cookies from previously visited sites during that surfing session, and sending them (and any information in them, such as full name, address, SSN, financial data, passwords, etc.) to the nefarious server.
It can also be used to facilitate a type of attack known as cross-site scripting, in which script code is transferred from a web server to the client via an innocent-looking URL, executed on the client, and used to gather information about the user, redirect them to a bogus web site, or (possibly) even to execute commands on the clients machine. For more information about cross-site scripting, see The Cross-Site Scripting FAQ215.
Although some security sites recommend turning off Java Script support entirely (if your browser allows you to do that) in order to avoid future data privacy compromises, this often impairs the functionality of web pages and is not generally a realistic option.
Java Script code is written in plain text, and can be viewed by anyone who browses to a web page containing it. This has some security implications from the point of view of intellectual property. Any Java Script code appearing in a web page is effectively open source, available for the taking by anyone who thinks a particular effect is neat. Ive seen the same code in one place on the net, with copyright notice in comments, and in a completely different place, with the same script variable names and everything, sans copyright notice.
A specific vulnerability in Java Script was discussed in The Register216
215. The Cross-Site Scripting FAQ, http://www.cgisecurity.com/articles/xss-faq.shtml
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.