Ben Cantrick (mackys) wrote,
Ben Cantrick

In today's news of the bleedingly obvious: JavaScript is utterly insecure.

C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"

Well, freaking duh. How many years now have I been ranting about JScript? I suspect it's been at least 3, possibly more.

I went to a certain site recently that used JavaScript for EVERYTHING. Seriously. You couldn't click on the FAQ link without JavaScript enabled, because it used "onclick:GoToFaqPage()" instead of a freaking anchor tag! Hello, people! Have you heard of this new thing called HTML 1.0? It's really revolutionary! You know, was invented 11 years ago and everything!

Thing is, I know this problem will never get better. Everyone uses JavaScript to do what they should be using CGI (or even a freaking HTML tag) to do. It would load faster, run faster, be less complicated to create and maintain, and not force the user's browser to default-enable a huge gaping security hole. But nnnnooooooooo....

I myself use NoScript religiously. And I know that nobody gives a damn if crotchety old me hates their website, but if your website *requires* JScript for even the most basic functionaity... I will never visit your site again. (Exceptions: YouTube and Google video.) And maybe send you a flame via email as well for being a dumbass as well.
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.