Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Why are javascript web applications considered a bad thing?

  1. #1
    Senior Member
    Join Date
    Mar 2003
    Posts
    372

    Why are javascript web applications considered a bad thing?

    Ok gang here is a new one for you to ponder on.


    My company recently bought another company. This other company has a fairly large and complex web application that is written almost entirely in javascript. Now I have always heard that javascript is a bad idea from a security standpoint, but I can find no documentation to back this up. I have seen next to nothing on javascript within a security discussion. I have however found plenty of discussion about why javascript is bad from a development point of view and why new technologies out there are better... but still nothing on the security point.


    So, if anyone here is familiar with why javascript is a bad idea from securities standpoint PLEASE help me out here.


    Some background on this application. It's a finianical application, but not for end users. Banks use this app to do queries to a ************* database and to update transaction information in this database. Most of the time this is a closed network with only specific frame access to it, but there is also a web based component (which is the application in question) that can be used. This "opens" the network up a bit and allows banks to use the internet to transmit this information, via HTTPS of course.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Cool, a chance to show my ignorance!!! How about I tell you what I think I know, and then someone can come tell me that I'm wrong...

    As far as I know, javascript is (almost) perfectly safe because it is not allowed to make system changes( because it runs in it's own sandbox)... however due to weaknesses in browsers, it can be exploited to make system changes..hence the java.byteverify exploit...???

    But if anybody else can help clear up my misconceptions, that would be great. It wouldn't be the first time I was wrong....

  3. #3
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    Hi

    As far as I know, javascript is (almost) perfectly safe because it is not allowed to make system changes( because it runs in it's own sandbox)
    I think what you are refering to are Java Applets.........they are perfectly safe because a java applet is not allowed to make any change to system....and nor can they run any other application on the target Computer....

    On the other hand java Scripts can.....there is no such restrintion on them........

    Then i could be wrong either....

  4. #4
    Junior Member
    Join Date
    Jun 2003
    Posts
    11
    Javascripts can indeed cause harm. The Scob trojan from last week installs Javascript on the targeted IIS server, which in turn runs on the browser and brings the user to a nasty little website (which is no longer working).

    http://www.sophos.com/virusinfo/analyses/jsscoba.html

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    ok I understand about browser side issues with javascript, but I have always heard that javascript was bad for the server side too and that it could be fairly easily exploited. I guess what I am looking for is why would it be a bad idea from a security standpoint to allow a javascript based application to be deployed on one of our webservers.


    thanks groovicous and swordfish_13 for the answers so far.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Ok, then let's explore the depths of my ignorance further....

    JavaScript runs javascript applications.....Java runs applets, Java can be used to hook into windows functions....javascript can't (unless an exploit is, well, exploited)....

    The exploit that occured last week (I thought) was from an IE problem.....??

    Ok, where are the javascript programmers and conspiracy theorists when you need them ??

  7. #7
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949
    ok... put it like this... if your web server has been rooted so that someone else can put a js based exploit on it then you have more to worry about than a js exploit. You'll note every js exploit trojan that joe public sees is because the trojan is being served from an infected server - not because its being transmitted like a normal virus over smtp or similar

    you say the webserver serves this js application over https.... is this just to other banks i.e. trusted clients or to joe public? If it's to trusted clients i.e. other banks who presumably have similar levels of security as you, then I don't actually see too much a problem - presumably this is set up as some kind of closed VPN? You might only run into problesm AFAIK if the network is opened up more than this.....

    again any misconceptions stated here I'd be glad to have them corrected

    Z

    PS groovy - you are definitely thinking of java mate

    edit..... you runing any other services Lv4??
    Quis Custodiet Ipsos Custodes

  8. #8
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Zonewalker - thanks for the response, and I'll answer what I can.

    This machine is IIS 6 (ugh, I want it on Sun One but that isn't happening) with no other services running on it. It is kind of a tiered application, in that there is a web server --> application server --> database server although the app server and db are the same box (another issue to be addressed that isn't part of the javascript issue). This is closed in the sense that we have locked down the firewalls to allow access to the machine in question from specific IP addresses, but there is no VPN per se... although we are checking on spoofed addresses. The banks in question /should/ have good security but I always doubt anything that is outside of my control So no this isn't being served to joe q. public and it won't be because of the type of application it is.

    I will completely agree that if my box gets rooted and someone puts .js on there that I have more issues to worry about than javascript.

    I'm more concerned about the security of an application written almost entirely of javascript, and can it be exploited by a trusted end user (i.e. elevation of privleges, access to database, etc) but I can't seem to find anything on this... even in theory. Most of the time google is my friend, but in this case google has been of no assistance.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  9. #9
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949
    hmm... ok I don't think you can directly use javascript to elevate privileges - but knowing that there are people far cleverer than me at doing this kind of thing I wouldn't be surprised if you could - however you could use js to introduce other scripts that could elevate privileges - I'm thinking of cross site scripting.

    This page might interest you as a demonstration of purpose (its safe to look at though I'm not using IE - bear in mind the latest exploit for IE was found on russian servers so I'd consider using something other than IE to look at this - can never be too careful) - anyway it might provide you with some insights

    http://www.security.nnov.ru/search/d...asp?docid=6308

    You probably haven't got much too worry about from Joe public if your firewalls etc are ok - although yeah I agree I would be happier with a few changes if I were in your position..... but someone inside your network - they are always a concern. Shouldn't the hiring procedures have something like security checks on peoples background to try and filter out questionable types? Don't know how effective that kind of thing is though.

    Short answer to your question is yes I think it *might* be indirectly possible (with a few caveats) in theory but I'd like to see someone try (from a distance of course)

    Z
    Quis Custodiet Ipsos Custodes

  10. #10
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    You can use javascript and various browser vulnerabilities (primarily in IE) to do nasty things. You can also use applets in malicious ways if the user is ignorant enough to give them the necessary powers over their system.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •