Week 9

 JavaScript is a widely used high level interpreted programming language since 1995. Today it has become one of the most important and widely used client side programming languages. A study conducted by W3Tech states that JavaScript is being used at least on 88% of the web sites. It’s fair to say that any website created recently will for sure have some component of JavaScript. The responsiveness and interactiveness nature of web that we see today is partly because of the use and advancement in the JavaScript technology. Tools like jQuery, Angular, Backbone have made using JavaScript easier to implement for masses hiding much of the complex nature of JavaScript and it’s interaction with the DOM.

While it’s true that everyone loves JavaScript and you can’t even think of creating a new website without one, it comes with it’s security concerns. You might have heard that “JavaScript is Dangerous”. While that’s true but so is any other programming language. Sure due to the nature of client side script and how it the browsers processes it, it might be more prone to hacks and flaws but as a developers we can be more vigilant, understand the threat and follow best practices to minimize this risk. One solution that’s still thrown out is to “Disable the JavaScript”. In my opinion we need to get over this and embrace the security challenges. Sure you can disable the JavaScript and browse a crippled website which won’t even function in most cases.

JavaScript can be abused in a number of ways leading to theft, snooping your activity and privacy. One of the recent well known breach happened in 2012 when a couple of researchers sampled 5 million Facebook users in an attempt to find who who started typing the post but decided not to post it. The intent was not malicious but you can see how they could have easily captured what the user was typing and saved in on their servers. They did this by embedding JavaScript code that looked for on key down and on blur events on all textboxes within Facebook website. Another easily abused area is that of cookies. It’s a well established fact that organizations use cookies to store user information and many times it is enough to uniquely identify who the user is. If a hacker is able to embed JavaScript that can read cookies is any website it can retrieved the information that’s stored in them. Perhaps the most common form of attach is the cross site scripting attack XSS which I wrote about in the Week 6 blog post.

References:

http://www.makeuseof.com/tag/3-ways-javascript-can-used-breach-privacy-security/

https://www.veracode.com/security/javascript-security

Advertisements