What malicious things do javascript have for you?

Question

What malicious things do javascript have for you?

I asked the question: What about these people who do not use Javascript People , and many said that Javascript allows security attacks through client-side attacks.

So, I need to monitor and understand how bad the nature of these attacks is:

I would like to hear some detailed descriptions of actual attacks or damage caused to your computer or your network that were directly or indirectly caused or resolved using Javascript.

In particular, was there physical damage to your computer or network? Have you lost any data? Has any of your software been corrupted? If any damage occurred, how long did it take to repair and how much did it cost?

Or was the attack stopped before it did any damage and how was it stopped? How long does it take and how much did it cost?

I do not consider pop-ups to be an attack. This is just an annoyance that can be easily blocked without disabling Javascript.

Please indicate only those attacks that you personally visited. I trust your wisdom to programmers, but I do not trust third parties, because the reason could be something else.

+4

javascript security

lkessler Dec 19 '08 at 14:04

source share

7 answers

dr. · Answer 1 · 2008-12-19T14:48:28+0000

Hmm ... maybe get you out . I mean, it can literally own the entire computer, install a trojan.

I saw and made so many successful XSS attacks that led to the theft of the administration session and the management of the entire application. I saw and did delivery of an attack on the client side, such as the link above, which caused the installation of another application (RAT) and the management of the entire field.

After this point, the attacker can start attacking the internal network, for example, you can own a router and then manage all the traffic of the company, you can attack a domain controller or use a hash tool or similar tool to steal local credentials and attack other systems from these credentials. After that, all this concerns the security of other computers (and the local computer, if the browser works as the least privileged, instead of the administrator account)

fenomas · Answer 2 · 2008-12-19T14:35:02+0000

Well, any malicious JavaScript will ultimately act through the capabilities of the browser, so this demonstration of the evidence-based concept may correspond to what you’re looking for. It uses the fact that the page can dynamically create a link to a given URL, and then check which color, he should find out if your browser believes that this site is part of your browsing history.All this link makes an attempt to guess your gender, but the same idea can be used for attacks - say, it can check the URLs of large ban and present you with a phishing attack configured on any bank that you use.

Of course, this may (should) be fixed in future versions of the browser, but then this is true for most exploits.

scunliffe · Answer 3 · 2008-12-19T14:50:48+0000

Don't let end users embed HTML markup that allows you to either use <script>, <style>, a style attribute, or any of them? event attribute ... and viewing the contents of the href and src attributes

eg. if you have a blog, don't just let them comment on any HTML code.

Why?

tag

1.) the script is obvious, they can do whatever they want

2.) the style and style attribute are not so obvious, but in IE they can use behavior or expression properties to invoke script content

3.) any onclick, onmouseover, etc. attribute can obviously contain script content, so avoid it.

4.) see the href and src attributes if they contain the javascript: protocol, you also show the script.

Update: throw in <iframe>, <object> and <embed> as dangerous tags too ...

rizzle · Answer 4 · 2008-12-19T15:32:13+0000

On my website nizzote.com/welcomeSO

I use <textarea> to collect text that I sanitize, but someone saved </texarea> <script> for (var i = 1; i> 0; i ++) {alert ("click ok again") ;}

and when the page is loaded again, you would be stuck in a warning window in which you need to close the browser in order to exit it.

I saw this pretty soon and htmlencoded all the inputs to solve the problem. (C # httputility.htmlencode (string)) no real damage or cost, and the fix was quick.

Michael runyon · Answer 5 · 2008-12-19T16:44:30+0000

An injection attack on a vulnerable script entry on a client site caused the script trojan to attach to each text field in its database through an automatic MS SQL script. We ended up using a script to nullify it, to clean it, but quite a few people got some kind of infection through a server in China before the hole could be connected.

This refers to the fact that the injection hole was created using a JavaScript link (AJAX call), and the result was also called using subsequent javascript.

Matt kantor · Answer 6 · 2008-12-20T05:07:38+0000

I personally had no problems except a few browser crashes here and there (and this is mostly from poorly written code). Don't read too much on this, I definitely understand that javascript is a pretty wide attack vector; I am just saying what is true for probably 80-90% of internet users, not web application developers.

dkretz · Answer 7 · 2008-12-20T05:11:31+0000

Spoiled me the ability to use statically related strongly typed languages. And forged an involuntary bond of dependence on some guy named Crockford.

What malicious things do javascript have for you?

More articles: