FAQ: JavaScript insecurities

JavaScript is playing a major role in the Web 2.0 boom, but increased use of the scripting language is raising security questions.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
5 min read
Web sites are becoming more interactive thanks to JavaScript, but the increased use of the decade-old scripting language is raising security questions.

JavaScript is playing a major role in the Web 2.0 boom, which is causing a splash as it stretches the boundaries of what Web sites can do. But malicious JavaScript, especially in combination with increasingly common Web site security flaws, could lead to insidious Web-based attacks, security experts warn.

To answer some questions about JavaScript and how it may be a security threat, CNET News.com has created the following list of answers to frequently asked questions.

What is JavaScript?
JavaScript is a scripting programming language. It was developed at Netscape Communications as a derivative of ECMAScript and first introduced in 1995 in a version of the Netscape browser. JavaScript is best known for its use in Web sites.

Is JavaScript the same as Java?
No. Despite the name, JavaScript is only remotely related to Sun Microsystems' Java, a programming language and software that can run Java programs.

Bill Joy, one of Sun's co-founders, takes full responsibility for the name JavaScript, which was a "bad decision," he said at a recent event. "I was the one who let Netscape name it JavaScript," Joy said. "They called me on the phone. They were in a panic, and they wanted to use the name. I was on a family outing; I wasn't thinking."

What does JavaScript have to do with Web 2.0?
Web 2.0 lacks a precise definition; it's mainly used as a catch-all term to cover Web sites that are more than just plain, static pages. Web 2.0 sites are more interactive, allowing people to tag photos posted online, for example. Unlike their predecessors, Web 2.0 sites deliver an experience more akin to using a desktop application.

One of the key enablers of the flashier Web sites is a programming technique known as AJAX, which stands for "Asynchronous JavaScript and XML." Google Maps, launched last year, was one of the first Web applications to showcase the benefits of AJAX development techniques to a broad audience, as it let people use a mouse to move a map image around the screen.

"JavaScript is bad for security, a real disaster," David Wagner, a professor of computer science at the University of California at Berkeley, said at a recent event. "We're stuck with JavaScript at this point. AJAX means more JavaScript, and we're going to be stuck with it longer."

How can JavaScript be malicious?
Miscreants can program JavaScript in such a way that it will do things you might not want. For example, the recent Yamanner worm targeted Yahoo Mail. It harvested e-mail addresses, sent those off to the attacker, and forwarded itself to all contacts in a user's Yahoo address book. The Samy worm spread on MySpace, changing profiles on the hugely popular social-networking Web site. Both worms were created in JavaScript.

Security researchers also have recently found a way to use JavaScript to map a home or corporate network and attack connected servers or devices, such as routers or printers.

How could I encounter malicious JavaScript?
A malicious script can be embedded in a Web page and typically run without warning when the page is viewed in any ordinary browser.

Attackers could try to lure you to their own, rigged Web site. But an attack could also lurk on a trusted Web site by exploiting a common flaw known as cross-site scripting. Big-name Web companies including Google, Microsoft and eBay have had to plug such holes. Earlier this week AOL's Netscape.com fixed such a flaw that let apparent fans of Digg.com plant JavaScript on the Netscape Web site.

How could an attack work?
After creating a malicious JavaScript, an attacker can look for a vulnerable Web site to host the script. Security experts say Web sites are rife with cross-site scripting flaws. An attacker could use such a flaw to embed his malicious code in the vulnerable Web site. People who visit the site will be attacked. In the Netscape.com attack this week, for example, visitors were presented with JavaScript pop-up alerts advertising rival Digg.com and, in some cases, redirecting them to that social media site.

What can I do to protect my PC or network?
Will JavaScript run on my computer?
All modern Web browsers support JavaScript. You could disable JavaScript in your Web browser, which would prevent any JavaScript from running. However, that would also disable the functionality of many Web sites.

When run, JavaScript will bypass security measures such as a firewall because it runs through the user's browser, security experts said. "Your browser can be used to hack internal networks," said Jeremiah Grossman, chief technology officer at WhiteHat Security, a Web applications security company.

Some PC security software will detect malicious JavaScript, but typically only after an attack has surfaced, because they rely on attack signatures (the "fingerprint" of the threat) to block the attack. Effective security measures can only be taken on the Web server side, security experts say.

What should Web site operators do?
They should peruse their Web site for cross-site scripting flaws and fix those. Also, any user-submitted JavaScript needs to be validated. "The users really are at the mercy of the Web sites they visit," Grossman said.

The rise in Web site flaws has some security experts concerned that Web developers aren't paying enough attention to security. The buzz around Web 2.0 has people rushing to create new Web sites--with high hopes of making big bucks--but the development momentum is all about features, and protections are being neglected, they say.

Why am I reading about this now and not a decade ago?
True, JavaScript has been around for about 10 years. However, the language has become increasingly popular in recent years thanks to AJAX. Also, while malicious JavaScript has been possible for a long time, security researchers have not focused much on it, instead favoring a hunt for bugs in Web browsers that allow for a quicker and simpler PC hijack, according to security experts.