Sign in / up

back to article JavaScript in web browsers is new security weak spot

The growing use of JavaScript in web browsers is the new security weak spot, says Brian Chess, chief scientist and founder of US security software specialist Fortify Software. Specifically, the use of Ajax techniques to build Web 2.0 applications makes enterprise applications more vulnerable. "It is really hard to see the …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Steven Knox

    Missing the point

    "It is really hard to see the difference between what Ajax is supposed to do and what is an attack from hijacking JavaScript,"

    Really? Because what typifies a well-formed AJAX request is that it is an individual request with parameters that match the schema offered by the server. For an attack to actually work as an attack, it would have to be either a significant number of requests, or have specifically malformed parameters, or both. I wouldn't hire a programmer who couldn't craft a server app to check for well-formedness, and I wouldn't pay a security pro who couldn't identify a significant increase in traffic as a problem.

    "Potentially it provides a bridge between external internet applications and internal intranet applications behind the firewall."

    Only when implemented by a moron who doesn't understand what AJAX is or what it's for. AJAX is simply the use of Javascript code to request information through web protocols. As such, it runs on the client (read: any machine connected to the internet). So to use AJAX as a bridge to your intranet, you'd have to open said intranet up to everyone and everything.

    Also, Javascript code must at some point be readable to the client, which means that hackers can and will get at the source code. So putting anything you want to keep private in Javascript is a mistake.

    EVERY system is insecure when implemented unwisely.

    0 0
  2. Anonymous Coward
    Anonymous Coward

    Nothing new

    Javascript, like Java, has been a browser security hole since the mid-90s. There has, to my knowledge, never been a formal validation of the security of either.

    People with any sense (or paranoia) turn off both as well as most of the standard add-ons.

    0 0
  3. Mike

    Turning off Javascript

    Yeah, let me know how that works for you. :-)

    If you're a working stiff like myself, your employer probably requires you to leave your browser in "complete web-slut" mode to do your job. If you are _lucky_, you only need to turn it on to check that your payroll deposit was made, apply for vacation, change or even check your health-care benefits, fill in your status reports, etc. If not so lucky, pretty much every document you need is behind a "content management system" that makes Arthur Dent's little adventure finding his demolition notice look like a walk in the park. OK, Central Park, at night, but still...

    0 0
  4. Eirikur Eiriksson

    almost to obvious!

    As I truly share the thoughts of the previous commenter’s, I think this could truly pose a threat as being one of those things too obvious to detect

    0 0
  5. antonio_barcelona

    Javascript != Java

    This news item is about Javascript, it isn't about Java. It should be under "Scripting" instead of "Java/J2ee"

    0 0
This topic is closed for new posts.

Other stories you might like