Log in

No account? Create an account
In today's news of the bleedingly obvious: JavaScript is utterly insecure. - Adventures in Engineering — LiveJournal
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2006-07-30 21:38
  Subject:   In today's news of the bleedingly obvious: JavaScript is utterly insecure.
C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"


Well, freaking duh. How many years now have I been ranting about JScript? I suspect it's been at least 3, possibly more.

I went to a certain site recently that used JavaScript for EVERYTHING. Seriously. You couldn't click on the FAQ link without JavaScript enabled, because it used "onclick:GoToFaqPage()" instead of a freaking anchor tag! Hello, people! Have you heard of this new thing called HTML 1.0? It's really revolutionary! You know, was invented 11 years ago and everything!

Thing is, I know this problem will never get better. Everyone uses JavaScript to do what they should be using CGI (or even a freaking HTML tag) to do. It would load faster, run faster, be less complicated to create and maintain, and not force the user's browser to default-enable a huge gaping security hole. But nnnnooooooooo....

I myself use NoScript religiously. And I know that nobody gives a damn if crotchety old me hates their website, but if your website *requires* JScript for even the most basic functionaity... I will never visit your site again. (Exceptions: YouTube and Google video.) And maybe send you a flame via email as well for being a dumbass as well.
Post A Comment | 4 Comments | | Link

  User: (Anonymous)
  Date: 2006-07-31 02:59 (UTC)
  Subject:   (no subject)
So, Ben... tell us how you *really* feel.

Reply | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2006-07-31 09:24 (UTC)
  Subject:   How I really feel:

I like pie.

Mmmm, pie...
Reply | Parent | Thread | Link

  User: zonereyrie
  Date: 2006-07-31 03:57 (UTC)
  Subject:   (no subject)
Welcome to Web 2.0. If you're not using JavaScript you're a sucky web designer.

Though I admit I like a lot of AJAX sites, like Google Maps or TiVo Central Online. Things are moving from static sites to web-based applications.
Reply | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2006-07-31 09:08 (UTC)
  Subject:   (no subject)
Google Maps may be the first time I've looked at a site that required JavaScript and said, "Okay, maybe THEY really do need JS." If every site used JS like Google Maps, I doubt I'd be ranting about it. The reality of things, of course, is an entirely different story...
Reply | Parent | Thread | Link

May 2015