$arr_19 ), array( 3, false, $arr_20, $arr_24 ), array( 2, false, "\" />", $arr_25 ) ) ); ?> $arr_27 ), array( 3, false, $arr_28, $arr_30 ), array( 2, false, "\" />\n\n", $arr_31 ) ) ); ?> array( 2, false, false, $arr_9 ), array( 4, $arr_10, "if", $arr_245, $arr_248 ), array( 2, false, "\n", $arr_249 ) ) ); ?> rr_466 ), array( 4, $arr_467, "if", $arr_482, $arr_484 ), array( 2, false, "\n", $arr_485 ) ) ); ?> Web Browser Security » Linux Magazine
 

Why you can't just disable JavaScript

Web Browser Security

Author(s):

As ugly and hard to secure as JavaScript is, it could be worse – we could be using ActiveX.

JavaScript – can't live with it, can't live without it. The modern web is amazing; I can pay my bills, buy a laptop, and order hot pizza all from my web browser. To do all these activities, I must have a web browser with JavaScript enabled. If I disable it, I can't read my email, pay my bills, buy anything, or view approximately half the websites on the planet. But if I enable JavaScript, the bad guys can:

  • track who I am with tracking code, such as Google Analytics;
  • exploit security vulnerabilities in Firefox (120+ and still going);
  • redirect me to hostile websites; and
  • hijack actions, such as keyboard and mouse clicks.

Did I just say 120+ security vulnerabilities in Firefox that are exploitable via JavaScript? Yup. And that's not counting the ones that haven't been officially categorized or fixed yet. A perfect example of one of these is CVE-2009-0253; using the onmouseover action to position a 2 by 2 pixel box over a clickable link, an attacker can redirect you to an arbitrary website [1]. Any mouse click event (i.e., clicking on what looks like a legitimate link, image, etc.) over a link results in an onmouseover event that redirects you to, well, wherever the attacker wants:

[...]

Read full article as PDF »

064-065_kurt.pdf (227.09 kB)
comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF »

064-065_kurt.pdf (227.09 kB)

Tag Cloud

Bruce Byfield Gnome KDE Kernel Linux Linux Pro Magazine Open Source Projects Red Hat Ubuntu events foss free software google

News