Somehow this knowledge has not spread widely in the mainstream - I myself didn't quite realise how easy it was to do just this until about a year ago,
even though I've worked with Javascript on a regular basis for a decade. It's the type of vulnerability that has always been available, but only
visible to those looking for it. There is little use for these methods apart from snatching another person's history. Perhaps though, there are a lot
of motives to do so.
Vulnerabilities like this one don't exploit bugs, but instead the indirect access that Javascript gets to your browser. Javascript needs access to
various things; limiting access so that Javascript is still useful while preventing any abuse often requires a rewrite of substantial parts. Sometimes
it's impossible to retain functionality when improving security. Many vulnerabilities have been fixed in the past, but browser development remains a
work in progress.
One problem that probably cannot be solved is that injected malicious code could read whatever is in your cookie of the trusted site/domain running
the code, and transfer the content by use of Javascript's ability to make HTTP connections without affecting the page it's running on. Many sites
store account information such as username and a hashed password in their cookies; though it depends on the hashing algorithm and the password itself,
the attacker could have your plain-text password in mere seconds.
These are by far not the only security problems with Javascript, and many sites include a heap of third-party Javascript code (hosted externally). In
effect, the probability of someone executing code you don't need nor want in your own browser is reasonably high. They may not be sniffing your
history, but how do you feel about "event tracking": code tracking every single mouse movement - every click or scroll - and sending the relevant data
immediately to a traffic analyser? Often such code is meant to help the site owners developer the site through proper analysis, but it's simply too
invasive when it starts affecting browser performance noticeably. Apart from good intentions, third parties sometimes get hacked to inject malicious
code on all the sites that were using it - and some third parties never had good intentions to begin with.
All in all, the default behaviour of browsers to blindly accept all Javascript code is insecure. If you only stick to trustworthy sites, and if they
do not allow for Javascript injection on any of the site's own pages, and if the site only includes trustworthy code of third parties, and if those
third parties never get compromised -
then it is safe to run all Javascript code. However, if you like to roam the internet freely, the default
settings just open the window for anyone to run their code in your browser. Javascript itself is not that potent - it can't write or read files on
your system, for example - but the "little things" like browser performance, safety of accounts and privacy of browser history should be enough to be
more cautious than browsers tend to be by default.
Luckily there are various ways to deal with this. Some people just turn off Javascript completely, but more and more sites depend on Javascript to be
functional. A more popular approach is to use Firefox in combination with the NoScript extension.
NoScript protects against a number of known Javascript vulnerabilities, and has a number of settings with which you can configure in detail what you
want to allow. By default, it allows only the top-level site - the domain you're visiting - to run it's code; all code gets separated by domain, and
you can choose which to allow by clicking the NoScript icon. Once you allow a domain, it's code is allowed to run on all the sites using it - for
example, if you allow all of facebook's domains, facebook should just work from then on.
The drawback of this approach is that 'mash-up' sites using code from 'smaller' domains will break pretty much completely. You can temporarily allow
all domains for that page, but that defeats the whole purpose of using NoScript; manually allowing the right hosts would be better, but is
time-consuming. Overall however, you'll notice a boost in performance when the browser doesn't have to run all the extra code anymore - and, you'll be
a lot safer.
If you intend to roam the 'darker corners' of the interwebs as well, or if you just want to be really secure, you may want to disable the default
NoScript setting to allow top-level domains. This will require you to manually allow the top-level domain every time you visit a new site, but
therefore restricts all code unless you specifically tell it to trust it.
Whoops, didn't mean to turn this into a rant (even though I should've expected it to happen, I always rant :p) .. but I hope it's of use to
someone.
edit on 7-12-2010 by scraze because: (no reason given)