Web, JavaScript And Security

JavaScript is now main stream, thanks to the popularity and extensive acceptance of AJAX. In fact, AJAX is considered to be a core part of Web 2.0.

Acceptance of a technology by the industry has been a subject of its scanning under the security microscope, which has caused delays in accepting new things. JavaScript seemed to follow the same road, unless AJAX came around. AJAX gives this wonderful capability of behind-the-scenes requests to keep the web page dynamic, and make it more userfriendly and attractive to the user.

JavaScript has matured, however, not its security model. JavaScript opens doors to browser-based attacks. This may sound as the same old crib against scripting, but delve a little more in the side-channel attacks and the real danger surfaces:

“We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices,” said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. “This technique can scan networks protected behind firewalls such as corporate networks.”

The popular mode of attacks today is by exploiting the different browser vulnerabilties. But, JavaScript can now get inside your network. Once inside the network JavaScript can attack any IP enabled device, including server, routers or printers. This is no more limited to the user’s machine, the danger expands to the entire network, including the corporate ones. Along with the Web 2.0, these attack strategies too will mature and the new websites can end up being haven for the hackers end up in another cat and mouse game.

The good thing about seamless integration with scripting turns into evil as the user will never know if his/her machine or network has been attacked or not. Unless, the user is knowledgable enough to set the security to the right level. Every computer user cannot be expected of knowing the JavaScript vulnerabilities or keep his/her antennas on for staying alert to JavaScript problems. It will beat out the productivity, which is the ultimate purpose of using computers.

Security makes it difficult

Various new web frameworks have come up which allow easy AJAX integration and build sites quickly. However, if the different vulnerabilities are considered, it is not easy any more. Consider the cross-site scripting, cross-zone scripting or the new dangers of JavaScript.

Security does not figure in many applications as one of the primary requirements. Either the client is not very interested or even if i is considered its cost might turn it into a good-to-have feature. Many a times, a project starts with a reduced scope where the security is not urgent and is ignored. However, the project evolves with time and then it is more difficult and expensive to make it secure. Today, Web 2.0 is headed that way.

Solutions?

Disabling JavaScript is the instant reactive solution to this problem, however it not practical. Today scripting is ubiquitous. The solution lies in preventing hacks not avoiding scripting. Incorporating security in the JavaScript design involves changing its model which entails changing almost every web application today which might take time. The solution has to be a two-way approach – a policy based solution and an effort to improve scripting environments.

Clients, designers, developers, browsers – the whole industry should accept policy based decisions to avoid hacking. It would be perfect if there would be a way of differentiating between good-intentioned and malicious code. Maybe there can be certifications to certify non-malicious code. Ted Dziuba presents a novel approach, though a little critical, by differentiating between a document and an application.

Indeed, JavaScript is useful when the main purpose of your work is an application. When you are presenting information, however, there should be no JavaScript between the user and that information. As I said earlier: we as developers have an obligation to the rest of the internet to classify our work as either document or application. So, the next time you think that having your entire web site as one page with AJAX controls, please, think of the crawlers.

Software creators should focus on security along with the quick and easy rush. Make the web site secure and safe along with making it dynamic, interactive and flashy.

The industry needs to hold back a bit, focus on the JavaScript vulenrabilities, prepare for it and then get gung-ho about it.

Technorati tags: , , , , ,

Copyright Abhijit Nadgouda.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: