More From This User
Related Docuements
What is JavaScript? JavaScript Was Designed to Add Interactivity To
INTRODUCTION OF JAVA SCRIPT
From Anthony Lawrence
J
AVA
S
CRIPT
S
ECURITY
Afnan Al-Omrani.King Saud University, Information Technology DepartmentRiyadh, Saudi Arabiaafno_89@hotmail.com
A
BSTRACT
Security is an essential component in the structure for web applications (such as web sites). Most of theseapplications use java script, which can give interacting webpages and handling dynamic pages. So when adesigner or developer wants to design/develop web page he/she must consider securing the JavaScript tomake web pages more secure and robust.
Keywords
Java, JavaScript, Security, Sun Microsystems, Netscape, Cross-Site Scripting.
1.I
NTRODUCTION
This paper will discuss JavaScript definition, its benefits, futures, and how to secure it.First this paper will talk about what is a JavaScript. Then, what its benefits and features that makesJavaScript powerful scripting language. After that, it argues about JavaScript security. Finally, it concludeswith recommendations about how to use JavaScript in a secure way.
2.J
AVA
S
CRIPT
AT
GLANCE
JavaScript was first developed by Netscape as an open scripting language to create interactive web pages. Itwas named LiveScript. In the late 1995 LiveScript became a joint venture of Netscape and Sun Microsystemsand its name was changed to JavaScript [6].Script is a small program that is very easy to learn and use. Using JavaScript enables creating objects,attaching methods and properties. Although JavaScript can run on both client-side and server-side, it is verypopular among client-side scripting languages. Client side means the script runs on client browser embeddedin the header of web pages.
2.1JavaScript Definition
JavaScript is a client-side script language that can be embedded into HTML pages to create interactiveelements [4].
2.2JavaScript
benefits
and features
JavaScript plays very important task for adding interactive feature to HTML web pages. JavaScript canhandle several events that occur on web-pages and therefore help in designing dynamic and interactivewebsite. Moreover JavaScript makes it very easy to validate a form, check if any fields are empty and verifycorrectness of data. JavaScript does all these at client side even before actually sending the data to server, inthat way it reduce huge load on server and then makes form processing easier and quicker.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copiesare not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copyotherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission.The First Mini-Conference in Web Technologies and Trends (WTT)
©
2009 Information Technology Department, CCIS, King Saud University, Riyadh, Saudi Arabia
There are many features for JavaScript such as [1]:
•
Interact with the HTML forms:
This is an important feature as it interacts with HTML forms. This feature is provided by the Form object andthe form element objects it can contain like: Button, Checkbox, Radio ...etc.
•
Handles Dynamic Effects:
JavaScript is a powerful scripting language which has features to achieve dynamic effects in web pages.
•
Control the Browser:
There are many JavaScript objects that allow control over the behavior of the browser. For instance, The
Window
object supports methods to show dialog boxes, to display simple messages to the user or messagesthat in the status line of any browsers window, and get simple input from the user. The
Location
object allowsdownloading and displaying the contents of any URL in any window or frame of the browser. The
History
object enables moving forward and back within the user's browsing history, simulating the action of thebrowser's Forward and Back buttons. The
Screen
object provides information about the size and colour depthof the monitor on which the web browser is being displayed.
•
Control Document Appearance and Content:
The JavaScript Document object, through its
write( )
method allows writing arbitrary HTML into a documentas the document is being parsed by the browser. For example, you can include the current date and time in adocument or display different content on different platforms. Also, using the Document object generatedocuments entirely from scratch.
•
Interact with the User:
An important feature of JavaScript is the ability to define event handlers. For example, move the mouse overa link, enter a value in a form, or click the Submit button in a form. This event-handling capability is important;because programming –for example- HTML forms, inherently requires an event-driven model.
2.3JavaScript Security
Any time that programs (such as JavaScript scripts) are included within shared documents, particularlydocuments that are transmitted over the Internet or by email, there is a potential for viruses or other maliciousprograms [2].JavaScript has its own security model. This security model is designed to protect the user from maliciousWeb sites, and as a result, it enforces roles on what the page author is allowed to do. Moreover, it is notplanned to replace proper security measures, and should never be used in place of proper encryption [3].JavaScript has a great feature in security that does not provide any way to write or delete files or directorieson the client computer. With no File object and no file access functions, a JavaScript program cannot delete auser's data or place viruses on the user's system [2].
In addition, JavaScript has no networking primitives of any type. A JavaScript program can load URLs andcan send HTML form data to web servers, CGI scripts (Common Gateway Interface), and email addresses,but it cannot create a direct connection to any other hosts on the network. This means, for example, that aJavaScript program cannot use a client's machine as an attack platform from which to attempt to crackpasswords on another machine [2].From a privacy point of view, when you browse the Web, one of the pieces of information you are by defaultagree to release about yourself is which web browser you use. As a standard part of the HTTP protocol, a2
string identifying your browser, its version, and its vendor is sent with every request for a web page. Thisinformation is public, like the IP address of your Internet connection. However, other information should not bepublic such as your email address, which should not be shown unless you choose to do so by sending anemail message or authorizing an automated email message to be sent under your name. There are largeamount of good reasons to be concerned about data privacy. One reason, for example, is a practical concernabout receiving electronic junk mail (spam) and the like. JavaScript program loaded from the Internet andrunning in one web browser window should not be able to start examining the contents of other browserwindows that contain pages loaded from the intranet [2].To mention part of browser security problems with JavaScript, there are numerous ways in which scripts canaffect the user’s execution environment without violating any security policies.
•
Bombing Browsers with JavaScript
[5]The amount of resources a browser is granted on the client machine is largely a function of its operatingsystem. Unfortunately, many operating systems will continue to allocate CPU cycles and memory beyondwhat may be reasonable for the application. It is all too easy to write JavaScript that will crash the browser,both by design and by accident.The content of the next several sections is designed to illustrate some of the main problems browsers havewith denial-of-service attacks, with the "service" in this case being access to an operating system thatbehaves normally. The results will vary from platform to platform, but running any one of these scripts has thepotential to crash not only the browser but also your operating system itself.
•
Infinite Loops
By far the most simplistic (and obvious) way to cause unwanted side effects is to enter an infiniteloop, a loop whose exit condition is never fulfilled. Some modern browsers will catch and halt theexecution of the most obvious.
•
Memory Hogs
one of the easiest ways to crash a browser is to eat up all the available memory.
•
Using the Browser’s Functionality
a popular variation on theme is a script that writes <frameset> elements referencing itself,thereby creating an infinite recursion of document fetches. This prevents any user action becausethe browser is too busy fetching pages to field user interface events.
•
Cross-Site Scripting
Not all security problems related to JavaScript are the fault of the browser. Sometimes thecreator of a Web application is to blame. This exceedingly undesirable behavior is known as
cross-site scripting
(commonly referred to as
XSS
). It allows JavaScript created by attackers tobe "injected" into pages on your site.Cross-site scripting attacks aren’t limited to stealing cookies. Anything undesirable that isprevented by the same origin policy could happen.However, there are two approaches that may prevent cross-site scripting attacks. The first is toalways ensure validate user input at the server (e.g. in CGI, PHP …etc); that is, submitted formvalues to be checked against regular expressions that are known to be "good" (or use equivalentlogic to make the determination). This is as opposed to checking values for undesirablecharacters, which we term "negative" validation.3
of 00
JS Security
1,421 Reads
Info and Rating
| Category: | |
| Rating: | |
| Upload Date: | 02/24/2009 |
| Copyright: | Attribution Non-commercial |
| Tags: |
Read online for free.
Leave a Comment