aspose file tools*
The moose likes HTML, CSS and JavaScript and the fly likes Security and future of JavaScript/ AJAX Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "Security and future of JavaScript/ AJAX" Watch "Security and future of JavaScript/ AJAX" New topic
Author

Security and future of JavaScript/ AJAX

Mala Gupta
Author
Ranch Hand

Joined: Sep 27, 2002
Posts: 251
    
    9
Alexei White/ Andre Charland,

As you know, there has been increase in concerns related to usage of JavaScript in WebPages (thanks to XSS!), recommending users to disable JavaScript in their browsers.

Where do you think the developers/ organisations stand, after using JavaScript/ AJAX in their web applications and users disabling JavaScript in their browsers?

Thanks.

Regards
Mala


Author of Manning's OCA Java SE 7 Programmer I Certification Guide and OCP Java SE 7 Programmer II Certification Guide
Muhammad Saifuddin
Ranch Hand

Joined: Dec 06, 2005
Posts: 1321

interested question is waiting for the authors reply,


Saifuddin..
[Blog][Linkedin] How To Ask Questions On JavaRanch My OpenSource
Valentin Crettaz
Gold Digger
Sheriff

Joined: Aug 26, 2001
Posts: 7610
Personally, I know very few people who disable JavaScript in their browsers, simply because that would make even the simplest web-based applications useless. Many people use online email clients, e-banking systems, and other web-based applications, all of which have to use some dose of JavaScript for functioning properly and offering a suitable post-web-1.0 user experience. That's a fact.

In 99.9% of all web applications, the data resides on the server, which means that the server-side code must ideally be properly secured against all types of attacks (SQL injection, XSS, and more at OWASP). In the case of XSS attacks, the goal is not always to hack the data (which we can properly secure 100%), but often to sort of hack the way information is displayed on the screen. When a web application is displayed within a frame/iframe of another malevolent web application, there is little one can do to prevent that, except using the newcoming antiphishing tools provided by browser vendors et al.

Using new technologies automatically implies taking more risks. At the end of the day, people committing to use new technologies or new arangements of old technologies (like Ajax) are implicitely taking those risks and must do so in all awareness. Due to the openness of the web (which is its greatest strength as well as its greatest threat), the only thing we can really rely on is the user awareness of the risks they are taking. User must be made aware of the risks they are taking and they must be given the option of going down that path or not. As JavaScript developers and server-side developers, all you can really do is to secure your code as much as you can and inform your user base about the potential risks.
[ July 25, 2007: Message edited by: Valentin Crettaz ]

SCJP 5, SCJD, SCBCD, SCWCD, SCDJWS, IBM XML
[Blog] [Blogroll] [My Reviews] My Linked In
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61433
    
  67

Valentin said pretty much what I was going to say, but said it much more eloquently. A great response.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Mala Gupta
Author
Ranch Hand

Joined: Sep 27, 2002
Posts: 251
    
    9
Valentin Crettaz,

Thanks for your response. I appreciate it very much.

Thanks again.

Regards
Mala
Alexei White
author
Greenhorn

Joined: Jul 20, 2007
Posts: 14
I personally think the risks of using JavaScript are overblown and poorly understood. Interestingly, in our consultancy we saw large companies adopting heavy JavaScript use far quicker than public websites (like Amazon.com and CNN.com and such). The main reason for this is that the benefits appear to far outweigh the risks - but in a public web, you have less control over what people have turned on in their browsers.

And whether you actually USE JavasScript in your application or not does not actually increase or reduce these risks (like XSS for example). What mitigates risks is whether users will have JavaScript turned off in their browser altogether - something you can't control anyway. So you might as well use JavaScript to improve your users experience.

That's a rather fatalistic view of it. In the real world there are relatively few opportunities to employ things like XSS for profit - so it doesn't happen very often at all.

Maybe my coauthers will have some thoughts on this.


Alexei White<br />Nitobi Software<br />-------------------<br /><a href="http://www.nitobi.com" target="_blank" rel="nofollow">www.nitobi.com</a><br />Enterprise Ajax Book <a href="http://www.enterpriseajax.com" target="_blank" rel="nofollow">http://www.enterpriseajax.com</a><br />f. 604.985.9287
Dave Charles Johnson
author
Greenhorn

Joined: Jul 26, 2007
Posts: 4
Valentin did say it well!

I think that the majority of users have JavaScript enabled and most websites require it. It is, however, a good idea to use degradable Ajax for those that don't have JavaScript enabled - though I would not bend over backwards to achieve this in all cases!

As for the reason that people might turn off JavaScript, there are a few easy steps that one can take to prevent the majority of attacks like XSS or CSRF that might take advantage of JavaScript in the browser. In particular positive filtering and unique key generation on form submits are the most important techniques to remember.
Valentin Crettaz
Gold Digger
Sheriff

Joined: Aug 26, 2001
Posts: 7610
That's a rather fatalistic view of it. In the real world there are relatively few opportunities to employ things like XSS for profit - so it doesn't happen very often at all.

I don't agree. There are countless records of such examples. And the phenomenon is just taking off.

"Phishing exposed" published by Syngress is just one of many books (+ countless articles) on this subject. Lance James shows very concrete examples of how to take advantage of vulnerable e-banking websites.

Plus another very handy tool called XSS-proxy shows very well how easy it is to set up XSS attacks in a completely transparent way for users.
[ July 27, 2007: Message edited by: Valentin Crettaz ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security and future of JavaScript/ AJAX