flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3 ... 14, 15, 16 ... 20, 21, 22  Next
Author
Thread Post new topic Reply to topic
guignol



Joined: 06 Dec 2008
Posts: 602
Location: /96A

_________________
qiq;
Post 11 Mar 2019, 09:10
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8361
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
alert() inside loop is quite malicious, Laughing

but why browser doesn't come with a button to just simply stop any script in particular tab, it just damn funny, this feature is like essential, but you only gain such power through addon, Laughing
Post 11 Mar 2019, 17:08
View user's profile Send private message Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 602
Location: /96A
That's entirely question to revolution.

So you think you'll get an answer?
Post 11 Mar 2019, 18:04
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16734
Location: In your JS exploiting you and your system
sleepsleep wrote:
alert() inside loop is quite malicious,
No. It isn't alert() that is malicious. It is JS.
Post 11 Mar 2019, 18:05
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 602
Location: /96A
Ay, the embediment of malicious.
Post 11 Mar 2019, 18:10
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8361
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
revolution wrote:
sleepsleep wrote:
alert() inside loop is quite malicious,
No. It isn't alert() that is malicious. It is JS.


everything around us is quite double edged sword, browser itself could be malicious, websites, os, and so on, now everything is malicious, including laptop and keyboard, Laughing
Post 11 Mar 2019, 19:01
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16734
Location: In your JS exploiting you and your system
I find it much easier to trust a single keyboard that I have physical control over, than billions of websites with unknown security practices delivering me un-auditable code to execute.
Post 11 Mar 2019, 20:34
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 602
Location: /96A
And how do you "audit" interaction, may I ask?

(Do you hear voices? As, computer machines do talk to you?)
Post 11 Mar 2019, 23:29
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16734
Location: In your JS exploiting you and your system
Let's use even more code to stop other code that we don't like. Crazy. A non-solution to a real problem.
... the researchers went through over 1 million of the most popular websites and uncovered that more than 3,000 sites were digging for cryptocurrencies without their users' knowledge.
The proper solution is to not run JS. Then no more problem with cryptojacking or being ...
Quote:
... confronted with pop-up windows containing ads or short messages that link them to fee-based offers or malware and which have to be tediously clicked away.
Post 15 Mar 2019, 18:22
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 602
Location: /96A
I found Eichman
Image
Post 15 Mar 2019, 23:22
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16734
Location: In your JS exploiting you and your system
JS Everywhere Smile


Description: My reaction is the same as Woody
Filesize: 67.51 KB
Viewed: 795 Time(s)

JSEverywhere.jpg


Post 30 Apr 2019, 15:34
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16734
Location: In your JS exploiting you and your system
We can't trust any websites with JS. Not even your very own personal website.
In total, researchers with China-based Netlab 360 found 105 websites that executed card-skimming JavaScript hosted on the malicious domain magento-analytics[.]com. While the domain returns a 403 error to browsers that try to visit it, a host of magento-analytics[.]com URLs host code that’s designed to extract the name, number, expiration date, and CVV of payment cards that are used to make purchases. The e-commerce sites are infected when the attackers add links that cause the malicious JavaScript to be executed.
At least someone in the journalism profession gets it:
Quote:
There’s no easy way for people to know for sure if an e-commerce site they’re browsing is infected.
Post 11 May 2019, 18:09
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 570
Location: Belarus
So, the website allows an attacker to add arbitrary JS code to its pages by adding some links. It’s called injection vulnerability. The website is broken. Don’t trust broken websites.

I don’t see how this differs from any other vulnerability. You have a program, the program has buffer overflow in it. Attacker gives you a malicious document that you pass to the program. The program is broken. Don’t trust the program.

The problem is how to find out if a program/website is broken. Rejecting JS is like treating every website using JS broken (which often is quite valid decision, for quality-in-use reasons). But then we should treat every program using arrays broken as well, since having array index out of bounds causes buffer overflow.
Post 11 May 2019, 18:47
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16734
Location: In your JS exploiting you and your system
The difference is that programs we download can be checked, verified and authorised. But random websites can change within seconds. So if you check, verify and authorise your favourite website today, that gives you no guarantee that the next time you visit it it is still the same. Along comes a hacker and finds a vulnerability, injects bad JS code and now everyone that previously "verified" the site as safe has become a victim.

You have no control over other people's websites, so you have no way of judging its safeness or otherwise.

And what is so important about JS that we are required to run it? Nothing that I can tell. It is not required. But there are so many websites out there that are JS only, as if normal HTML can't display text and images or something. There are so many websites out there that whinge about JS being disabled, as if the whole world is broken if we don't view animated menus or something. And even the designation of "JS disabled" is to nudge us into thinking we are handicapped, instead of "JS enhanced" to allow us to watch the pretty animated menus if we care about such fluff.
Post 12 May 2019, 02:40
View user's profile Send private message Visit poster's website Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 222
yeah, i usually disable JS. (and enable it only when required)

but such dirtiness, hell lot of websites rely on JS. i hate them all.

stupid JS just like microsoft's virus 10.

_________________
Asm For Wise Humans
Post 12 May 2019, 09:08
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 570
Location: Belarus
revolution wrote:
The difference is that programs we download can be checked, verified and authorised. But random websites can change within seconds. So if you check, verify and authorise your favourite website today, that gives you no guarantee that the next time you visit it it is still the same. Along comes a hacker and finds a vulnerability, injects bad JS code and now everyone that previously "verified" the site as safe has become a victim.

That’s the price of having websites available worldwide 24/7. Make a normal desktop application available from any computer in the Internet and everything you’ve mentioned becomes applicable to such an application.

That an injection exists is not JS’s fault, it’s a server-side code security bug. There’re lots of programs that allow some kind of scripting, browsers are just one example. And injecting JavaScript is the least one can do after having gained full access to a broken web-application. Having got in through a buffer overflow bug an attacker has much more opportunities. Suppose the application is your favourite messenger.
Post 12 May 2019, 10:21
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16734
Location: In your JS exploiting you and your system
I'm not blaming the JS. It was doing it's job. The problem is the job should not exist. So I guess I'm blaming the culture of requiring people to execute random code delivered by all those millions of unknown, untrusted sources. No random website should be allowed to execute code on the machine just because it says it wants to. People are well warned about downloading random programs and executing them to play some game that they think they may like. But for some reason JS gets a pass from all the scary warnings, and instead people get admonished for not allowing it!

I disagree that JS is the price of having websites available 24/7. Availability is an entirely separate issue.

Yes, the injection is a problem on the server side. But, like I said above, we have no control over that. Someone else didn't do their job correctly, and it is the users have to suffer for it. So only when every website in existence is perfect and has no malicious operators and no hackable backdoors and all JS code can be checked for problems by trusted parties, then we can run JS. But meanwhile back in the real world we need to recognise that that state will never be achieved.
Post 12 May 2019, 11:55
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 570
Location: Belarus
revolution wrote:
I disagree that JS is the price of having websites available 24/7. Availability is an entirely separate issue.

That point was about changes made out of visitor’s control.

Quote:
Yes, the injection is a problem on the server side. But, like I said above, we have no control over that. Someone else didn't do their job correctly, and it is the users have to suffer for it. So only when every website in existence is perfect and has no malicious operators and no hackable backdoors and all JS code can be checked for problems by trusted parties, then we can run JS. But meanwhile back in the real world we need to recognise that that state will never be achieved.

No difference from any other application. We can’t be sure your OS is safe (and we know it is not). We can’t be sure your browser itself will not manifest some security bug (buffer overflow again?) when faced to malformed HTML.
Post 12 May 2019, 21:16
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16734
Location: In your JS exploiting you and your system
The difference is as I stated above. I have control over when or if I change the code on my machines. I still run WinXP, I know it well and I know how to keep it in good condition. But I don't have that choice on a website. Someone places malicious code on their website and then expect everyone to blindly run it. That is very different.
Post 12 May 2019, 21:24
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 602
Location: /96A
Malformed HTML?
Post 13 May 2019, 03:29
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 14, 15, 16 ... 20, 21, 22  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.