• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Security and future of JavaScript/ AJAX

 
Author
Posts: 375
22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Alexei White/ Andre Charland,

As you know, there has been increase in concerns related to usage of JavaScript in WebPages (thanks to XSS!), recommending users to disable JavaScript in their browsers.

Where do you think the developers/ organisations stand, after using JavaScript/ AJAX in their web applications and users disabling JavaScript in their browsers?

Thanks.

Regards
Mala
 
Ranch Hand
Posts: 1325
Android Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
interested question is waiting for the authors reply,
 
Author & Gold Digger
Posts: 7617
6
IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Personally, I know very few people who disable JavaScript in their browsers, simply because that would make even the simplest web-based applications useless. Many people use online email clients, e-banking systems, and other web-based applications, all of which have to use some dose of JavaScript for functioning properly and offering a suitable post-web-1.0 user experience. That's a fact.

In 99.9% of all web applications, the data resides on the server, which means that the server-side code must ideally be properly secured against all types of attacks (SQL injection, XSS, and more at OWASP). In the case of XSS attacks, the goal is not always to hack the data (which we can properly secure 100%), but often to sort of hack the way information is displayed on the screen. When a web application is displayed within a frame/iframe of another malevolent web application, there is little one can do to prevent that, except using the newcoming antiphishing tools provided by browser vendors et al.

Using new technologies automatically implies taking more risks. At the end of the day, people committing to use new technologies or new arangements of old technologies (like Ajax) are implicitely taking those risks and must do so in all awareness. Due to the openness of the web (which is its greatest strength as well as its greatest threat), the only thing we can really rely on is the user awareness of the risks they are taking. User must be made aware of the risks they are taking and they must be given the option of going down that path or not. As JavaScript developers and server-side developers, all you can really do is to secure your code as much as you can and inform your user base about the potential risks.
[ July 25, 2007: Message edited by: Valentin Crettaz ]
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Valentin said pretty much what I was going to say, but said it much more eloquently. A great response.
 
Mala Gupta
Author
Posts: 375
22
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Valentin Crettaz,

Thanks for your response. I appreciate it very much.

Thanks again.

Regards
Mala
 
author
Posts: 14
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I personally think the risks of using JavaScript are overblown and poorly understood. Interestingly, in our consultancy we saw large companies adopting heavy JavaScript use far quicker than public websites (like Amazon.com and CNN.com and such). The main reason for this is that the benefits appear to far outweigh the risks - but in a public web, you have less control over what people have turned on in their browsers.

And whether you actually USE JavasScript in your application or not does not actually increase or reduce these risks (like XSS for example). What mitigates risks is whether users will have JavaScript turned off in their browser altogether - something you can't control anyway. So you might as well use JavaScript to improve your users experience.

That's a rather fatalistic view of it. In the real world there are relatively few opportunities to employ things like XSS for profit - so it doesn't happen very often at all.

Maybe my coauthers will have some thoughts on this.
 
author
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Valentin did say it well!

I think that the majority of users have JavaScript enabled and most websites require it. It is, however, a good idea to use degradable Ajax for those that don't have JavaScript enabled - though I would not bend over backwards to achieve this in all cases!

As for the reason that people might turn off JavaScript, there are a few easy steps that one can take to prevent the majority of attacks like XSS or CSRF that might take advantage of JavaScript in the browser. In particular positive filtering and unique key generation on form submits are the most important techniques to remember.
 
Valentin Crettaz
Author & Gold Digger
Posts: 7617
6
IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's a rather fatalistic view of it. In the real world there are relatively few opportunities to employ things like XSS for profit - so it doesn't happen very often at all.

I don't agree. There are countless records of such examples. And the phenomenon is just taking off.

"Phishing exposed" published by Syngress is just one of many books (+ countless articles) on this subject. Lance James shows very concrete examples of how to take advantage of vulnerable e-banking websites.

Plus another very handy tool called XSS-proxy shows very well how easy it is to set up XSS attacks in a completely transparent way for users.
[ July 27, 2007: Message edited by: Valentin Crettaz ]
reply
    Bookmark Topic Watch Topic
  • New Topic