Firewall Wizards mailing list archives
Re: Active-content filtering (was RE: Buffer Overruns)
From: Crispin Cowan <crispin () cse ogi edu>
Date: Fri, 24 Dec 1999 06:50:40 +0000
"Hazel A. Borg" wrote:
I am a web developer who took a course in firewalls which opened up my eyes to a whole new world. I have been following the messages in this group with great interest. You are correct in the fact that I don't understand the technology and I was wondering if someone if you could educate me. No where in my schooling or the references I use in web developing is there a mention of the security problems with JavaScript.
The way Javascript is *supposed* to work is that the applets are downloaded to the client browser to run. The browser runs them in a "sandbox" [1] which contains the applet so that it cannot read or corrupt anything sensitive. What *actually* happens is that the sandbox is amazingly porus. Bugs in the sandboxing function of one or more common browsers allow Javascript (or Java) applets to access content that they were not intended to access. My favorite was the "eBayla" applet: a Javascript applet suitable for placing on an ebay.com auction. When a would-be buyer with Javascript enabled browses the auction, the applet scoops up the buyer's ebay password, and e-mails it back to the seller. Then the seller can forge bids as the buyer. I had to make the case to a collegue that Javascript is hopelessly insecure, and counted 20 separate Javascript vulnerabilities in the six months preceeding May 1999. There have been numerous vulnerabilities announced since then, the most recent arising December 16. With this kind of history of security vulnerability, the prudent and security-conscious browser does *not* roam around the Internet with Javascript enabled. Thus it is rather annoying to come upon a web site that *requires* Javascript in order to function. I have no problem with sites that just Javascript for extra "glitz" (mouse-overs, etc.) but when it is *required* in order to access content, then it is a problem. Some examples: * Continental Airlines: Following the "enter here" link, one comes to a site that contains no HTML at all. With Javascript disabled, you just get a blank page: http://www.continental.com/dash/build_dash.asp?vs_1999_11_22_00 * City Search: Their home page http://www.citysearch.com/ helpfully detects if you are not running Javascript, and kicks you off http://www.citysearch.com/CitySearch/home/upgrade.html. There does not appear to be any real reason for this. Javascript is used for navigation, but only in trivial ways, e.g. the city selector menu uses Javascript to obviate the need to click the "go" button. This site could easly be cleansed to not require Javascript, but City Search has decided that their glitz & convience is more important than their customer's security. * The National Information systems Security conference: http://csrc.nist.gov/nissc/program/r_d.htm If you would expect anyone to know better, it's them. The scholars behind NISSC probably do know better, but the web developers aren't reading the content they're deploying. On this page is a link to the New Security Paradigms Workshop, but this link (javascript:openWindow('rd2.htm','popupAboutWin')) has been pointlessly implemented as Javascript instead of HTML, because all it does is open a window with some HTML in it. More over, that HTML *has* a static HTTP URL ( http://csrc.nist.gov/nissc/program/rd2.htm ) but for some bizzarre reason, they chose not to use it.
All the programs like adobe image ready and macromedia fireworks etc use JavaScript making features as a major selling point in their software. In simple terms what is the major risk with JavaScript?
Regarding the tools, I realize that this is a problem. Many of the web development tools spout about scripting as a feature, not realizing that it is also a major defect. I don't have direct experience with these tools, but presumably they at least announce when they are deploying scripting? If so, on each occasion when scripting is employed, ask yourself what the user experience will be *without* this script. If it is reduced glitz, no problem. If it is inaccessable content, then *seriously* consider re-arranging content so that it is accessable via pure HTML. Thanks for listening, Crispin----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- Active-content filtering (was RE: Buffer Overruns) fernando_montenegro (Dec 21)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 22)
- Re: Active-content filtering (was RE: Buffer Overruns) David Lang (Dec 23)
- Re: Active-content filtering (was RE: Buffer Overruns) Hazel A. Borg (Dec 24)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Joseph S D Yao (Dec 28)
- Re: Active-content filtering (was RE: Buffer Overruns) Neil Ratzlaff (Dec 22)
- <Possible follow-ups>
- RE: Active-content filtering (was RE: Buffer Overruns) fernando_montenegro (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Jody C. Patilla (Dec 28)
- Re: Active-content filtering (was RE: Buffer Overruns) Dorian Moore (Dec 30)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 30)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 22)