On 12 May 2008 14:14:14 -0700, in bit.listserv.ibm-main
(Message-ID:<[EMAIL PROTECTED]>)
[EMAIL PROTECTED] (Robert A. Rosenberg) wrote:
At 16:38 +0100 on 05/12/2008, Martin Packer wrote about
Re: Mainframe programming vs the Web:
Javascript, by design, can do damn near anything to your
machine.
What EXACTLY do you claim that JavaScript can do that is
dangerous? It has no ability to access the Hard Drive (so
it can not look at your files) or things like that.
One old standby was to open dozens or hundreds of
browser windows with ads in them. It could lead to a
reboot just to get back control of your computer.
I'm not an expert, so I let Google do the work. Some
of the exploits are old, but they do or did exist. Here's
just a sample:
From http://www.pantos.org/atw/35547.html
Basically, any Web page that wants to can monitor and
record every move made by any user who hasn't disabled
JavaScript. The information that can be obtained includes
virtually every bit of data passed between the user and
every remote Web site they visit (including encrypted data,
complete with decryption keys).
http://www2006.org/programme/files/xhtml/17/xhtml/fp17-atterer.html
We present an implementation for detailed tracking of user
actions on web pages. An HTTP proxy modifies HTML pages by
adding JavaScript code before delivering them to the
client. This JavaScript tracking code collects data about
mouse movements, keyboard input and more. We demonstrate
the usefulness of our approach in a case study.
http://www.nist.org/news.php?extend.175
Two Hackers at the ToorCon hacker conference demonstrated a
flaw in Firefox that could lead to arbitrary code
execution. The problem is with how Firefox implements
JavaScript.
...
When this is done it appears that whatever the Javascript
did in the browser actually came from the website. So when
you think you are entering your pin number on the banks
site you may actually be entering it on the phishing /
hackers site
http://www.tcmagazine.com/forums/index.php?showtopic=2662
For example - if you follow security related news, you will
see that JavaScript is the key avenue being used against
you in today's attacks (even thru adbanners!)
http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html
Imagine you're visiting a popular website and invisible
JavaScript exploit code steals your cookies, captures your
keystrokes, and monitors every web page that you visit.
Then, without your knowledge or consent, your web browser
is silently hijacked to transfer out bank funds, hack other
websites, or post derogatory comments in a public forum. No
traces, no tracks, no warning sirens. In 2005's "Phishing
with Superbait" presentation we demonstrated that all these
things were in fact possible using nothing more than some
clever JavaScript.
--
I cannot receive mail at the address this was sent from.
To reply directly, send to ar23hur "at" intergate "dot" com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
