Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

The real power of JavaScript ! Rate Topic   - - - - -

 

Posted 29 October 2007 - 02:08 PM #1

Read this then the bottom demonstration

Say for example one of your employees at home is browsing the Internet and finds a cool and very funny video on YouTube. They decide they want to share it with all their co-workers because it is so funny. (Yes, I have done this)They send the link into the office. The next morning, they distribute it to their co-workers who dutifully view the content. On the surface, this may seem like a very benign issue with all the antivirus, anti-spyware, firewalls, and other stuff has been installed to protect our computers from various attacks. For many of us, this may just seem like another easy day at work with a few co-workers sharing the funny video.

Well, perhaps it seems that way, but the reality is that it may not be that simple.

A piece about Website defence crossed my path the other day and made me re-think the above scenario, as perhaps not being as benign as it first seemed.

As I began to study the situation, I became more and more engrossed about its impact on many users and businesses. Many web browsers, (Including me) by default these days, permit JavaScript to run. Mozilla Firefox under takes a slightly different approach to this and allows JavaScript to run on a site-by-site basis if the user (me) trusts the site and approves the JavaScript to run (now why did Microsoft not think of this). However, this offers little protection since most Web users have little knowledge about what they are approving to run. AHHHHH!

JavaScript: We have all heard about it as a popular scripting language that is widely supported in web browsers and other web tools. It adds enormous interactive functions to HTML (web) pages, which are otherwise static, since HTML is a display language and not a programming language. JavaScript is easier to utilize than Java, but it is nowhere near as powerful. It is used mainly to deal with elements on the web page.

Ok there is a nasty side to this JavaScript as well! Which i am really here to talk about. In addition, I am going to label it “Malicious JavaScript?” and I will try to explain it in terms that is easy to understand.
“Malicious JavaScript” is any type of JavaScript used on a website that installs software or obtains information from the computer without the user’s knowledge. But how does it do this we ask?

Let me show you some easy examples:

Example 1: A malware author could place JavaScript code on a web page that directs the browser to a specific URL under the malware author’s control, which loads additional JavaScript code into the browser. This code could do anything the author desires such as scanning the user’s bookmarks and cookies, harvesting them and sending them to the criminal’s computer without the user knowing. While this may seem innocuous, please remember that many users in their browser select the option to have the browser remember the usernames and passwords to specific sites visited by the user (bet some of you will look after reading that bit). The criminal, having downloaded the cookies from the user’s computer, simply needs to identify the one associated with the user’s “online banking account” in order to gain access to the user’s bank accounts.

Example 2: Gaining access the same way as in example one, the malicious hacker instead substitutes the host name of a URL stored in the user’s bookmarks to a website under the control of the criminal. The criminal’s server will then offer up a phishing page that requests confidential information from the user. Believing they are on a legitimate site, the user will generally enter this information, especially since the user launched the website from their Favourites list after previously adding the site to their Favourites.

Example 3: Gaining access to the computer in the same method as Example 1, the hacker would use the user’s computer to participate on bot-net attacks, send spam, participate in denial of service attacks, and (if on a corporate network) use the PC in violation of corporate Internet usage policies.

All of these situations can occur from the use of ”malicious JavaScript” code in a web page.

The Impact

Website types defined in the above examples use various forms of JavaScript to produce and display the content on these sites. Since many of these sites are user-controlled (i.e., the user is responsible for adding the content), it would be very easy for someone to create a cool video on YouTube and post it along with some JavaScript that infects the computer when the video is played. Blogs, Wikis and all of the other new content that falls into some definition that are vulnerable to someone using such avenues to introduce malware into the computer.
Please remember as well, that not all antivirus and anti-spyware applications scan web content for malicious JavaScript. This is worth considering!

Protection from Attacks

Since JavaScript is embedded in HTML coding (the language used to display websites), it is not a simple matter to disable all JavaScript in your browser. Some sites require JavaScript to function properly and to accept user input. A form website is an example of a JavaScript-enabled website. Certainly, some users in a work place may not need to visit sites that have JavaScript, and their browsers could have the JavaScript disabled. Nevertheless, for many of us in any profession, it is difficult to avoid websites that require us to fill out forms and other information in order to help our clients. JavaScript is an essential part of our website and is something that we have to use.

JavaScript is a threat to any computer in ways that you may not think about or realize. Vigilance and education is a key to ensuring that you do not visit websites of questionable work value and may cause you to lose valuable information (especially if you hold your personal client details) to a hacker who inserted “malicious JavaScript” on that funny video site that all of your employees dutifully visited in the opening to this post.

The threat is real and problematic for the unsuspecting user. Don’t let anyone in you know or your website fall victim to “malicious JavaScript” now that you know what could happen.

As a simple exercise I will show you a little trick about "is it possable to move images from a website if you are not the author" – it is not a “hack” as such, but more a demonstration I think many will have fun with, and the answer is kind of. Oh i forget, it will not work in Firefox.

I will use www.cs-cart.com as a good example, but you can use it on any site with a good number of images, Flickr is one that springs to mind.

Ok, type the URL into the browser and let the page load. Then in the browser copy and paste this;

javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24;x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length;function A(){for(I=0; I<DIL; I++){DIS=DI[ I ].style;DIS.position='absolute'; DIS.left=Math.sin(R*x1+i*x2+x3)*x4+x5;DIS.top=Math.cos(R*y1+i*y2+y3)*y4+y5}R++ }setInterval('A()',5); void(0);

I.E 6 user amy wish to use this if you have problems;

javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24;x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length;function A(){for(i=0; i<DIL ; i++){DIS=DI[ i ].style;DIS.position='absolute'; DIS.left=Math.sin(R*x1+i*x2+x3)*x4+x5;DIS.top=Math.cos(R*y1+i*y2+y3)*y4+y5}R++ }setInterval('A()',5); void(0);


In IE7 press the --> arrow button, in other browsers press the equivelent key!

Good ah ? ;)

Even Better is to do it on Google Images !

Thanks for your time and I hope I have highlighted a little more about JavaScript.



Richard

Forget past mistakes. Forget failures. Forget everything except what you’re going to do now and do it



Now using CS-Cart 2.0.5

 
  • johnjohn
  • Member
  • Members
  • Join Date: 05-Mar 09
  • 35 posts

Posted 10 March 2009 - 02:59 PM #2

I didn't try the example above, so this reply is just a general reply about JavaScript and your site...

I understand yours and everyone's concern about Javascript. Generally speaking it is not a threat and if you computer has above average anti virus and anti mal ware tools, you should be all set. I use avast.com and it protects against malicious scripting.

Most well coded web forms do a good job of prevent scripts from executing malicious code injected by hackers. And you can help protect your site by denying code execution where applicable using .htaccess files.


This can be added to the htaccess file located in your public_html directory to stop common attacks:

# ##### URL Filtering helps stop some hack attempts ##### #
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]
#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]
#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]
#OR if the URI contains a "<script>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
#IF the URI contains UNION
RewriteCond %{QUERY_STRING} UNION [OR]
#OR if the URI contains a *
RewriteCond %{QUERY_STRING} \*
# Block out any script trying to base64_encode **** to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
#then deny the request (403)
RewriteRule ^.*$ - [F,L]
# End URL Filtering

And this can be added into an htaccess file in directories that are not dependent upon php and js scripting for functionality:

# prevents server side scripting
<Files ~ "\.(php|php3|php4|php5|phtml|pl|cgi)$">
order deny,allow
deny from all
</Files>

add 'js' to the list of files to prevent JS execution

<Files ~ "\.(js|php|php3|php4|php5|phtml|pl|cgi)$">
order deny,allow
deny from all
</Files>