Is there any serious threat in using JavaScript [closed]_问答_开发者

Closed. This question is off-topic. It is not currently accepting answers.

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 10 years ago.

开发者_运维技巧 Improve this question

some people disable javascript in their browsers for more security.i want to know is there any serious threat in javascript scripts? i read in a book that there isnt any serious security problem in javascript scripts!

Javascript can be exploited for several well-known and common attacks, including Cross-Site Scripting (XSS) and Cross-Site Request Forgery (XSRF).

It's like any technology. It can be used for good or bad. I'm not saying to disable it, but either of those can be considered a "serious threat" and they're worth knowning about.

You should throw that book away.

JavaScript can be very dangerous. If an attacker has modified the JavaScript of what used to be a safe website can they can make malicious execute in that site's JavaScript. They can also fake sites that execute malicious JavaScript as soon as you enter; something like a fake FaceBook or Twitter site simply because you misspell Facebook or Twitter in the URL.

The vulnerability in Javascript lies in that it resides on the client-side. By enabling Javascript, you are at risk if you visit a website with a vulnerability in it. If someone attacks a website by inserting javascript into a page that grabs your session cookie, then the attacker could login as you to that website.

Most big sites are secure enough that this is not a major concern.

As with any technology, you can't say it is fully secure or it is completely bad. The question is what is the real risk behind it.

To my knowledge, there are two main risks :

Client-side Web attacks :
- Cross-Site Scripting : This attack appends when an attacker includes malicious content in a legitimate website, this code will then be executed by your browser when you will load the page. The attacker cna use any language understood by your browser so it will use Javascript as it is today the more powerfull language.
- Cross Site Request Forgery : due to a vulnerability in a website, an attacker will be able to launch an action on this website with your account, assuming you are already logged on this website. For example if you use Twitter and if twitter has such vulnerability, an attacker may send you an email with a link to a malicious website which will launch a request to twitter with your account and launch a new Tweet. Note that this CSRF attack can be launched from a legitimate website with a XSS.
- If you wan to estimate the risk of such attack, few examples are interesting :
  - 55% of the websites tested by White Hat Security had XSS vulnerabilities in 2012
  - in 2010, apache.org was compromised by using an XSS to steal admin credentials
  - In 2008, a CSRF vulnerability in ING website (online bank) allowed to launch money transfer
  - A tool called BeEF allows to launch such attack and so provides good examples of the potential impact behind client-side web attacks.
Vulnerabilities in client softwares
- As Javascript is a complex language, many vulnerabilities are discovered in Javascript implementations whether in browsers or in other softwares implementing JavaScript (Adobe Reader is a good example). Such vulnerbaility can allow to execute code on your computer from a malicious webpage or malicious document. Now, sandboxes make exploitation more difficult but there are still a lot of vulnerabilities in complex softwares. As an example, major browsers have all been compromised at Pwn2Own challenge in the past five years.
- So disabling Javascript also reduced that risk importantly