flat assembler
Message board for the users of flat assembler.

Index > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3 ... 20, 21, 22
Author
Thread Post new topic Reply to topic
DimonSoft



Joined: 03 Mar 2010
Posts: 604
Location: Belarus
DimonSoft
Taking a single word and trying to apply its meaning out of context definitely does the trick of going off-topic. You can replace “trust” with any synonym you wish (I’m not a native speaker so might have chosen a bad one) but the concept stays the same: it you choose to use something you implicitly agree to be subject to all the good and bad consequences. If you’re not OK with that, you’d better stop using that. It’s quite funny to complain about the shop near your house selling expired food by to keep buying it.
Post 07 Sep 2019, 05:56
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16891
Location: In your JS exploiting you and your system
revolution
We don't have to trust every part of something. Just because we decide to visit a website doesn't mean we will trust everything it gives us. And we shouldn't simply trust something unseen and unknown. We can perhaps trust the text, and the images, but deny JS. Or for those that don't trust their browser to deal with malformed images we might decide to only trust the text. Or some other combination. There is no requirement to trust it all, or trust nothing. There are positions in between the two ends of the spectrum.

If I see a hole in the ground and am curious to find out what is inside, I wouldn't simply dive in without any care and see what happens. A bear might eat me, or a snake might bite me, or I might find the answer to immortality. I can't predict ahead of time which it might be. So I go there with caution.

But for some reason we are expected to simply allow any and all websites to do whatever they please and never question it, or even consider it might be harmful. But so many of the links I have shown in this thread tell us otherwise, we can't trust random websites to be all good and honest. There are plenty of scumbags out there very willing to take advantage of those that won't show caution.
Post 07 Sep 2019, 07:15
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 604
Location: Belarus
DimonSoft
revolution wrote:
We don't have to trust every part of something. Just because we decide to visit a website doesn't mean we will trust everything it gives us. And we shouldn't simply trust something unseen and unknown. We can perhaps trust the text, and the images, but deny JS. Or for those that don't trust their browser to deal with malformed images we might decide to only trust the text. Or some other combination. There is no requirement to trust it all, or trust nothing. There are positions in between the two ends of the spectrum.

But JavaScript code IS text. Text that specifies what a browser should do. Just like HTML. Just like SVG images. Just like CSS. In every of these cases instructions live in a very limited virtual environment. The only difference for JS is that it provides instructions in imperative way while the rest use declarative one. But neither causes vulnerabilities itself.

So, why do you trust you browser to be able to process and sandbox correctly some texts but not others?

revolution wrote:
If I see a hole in the ground and am curious to find out what is inside, I wouldn't simply dive in without any care and see what happens. A bear might eat me, or a snake might bite me, or I might find the answer to immortality. I can't predict ahead of time which it might be. So I go there with caution.

Run your web browser in a virtual machine and go for a walk in a large hamster ball, no problem. But wait, then you have to trust your VM to be able to process and sandbox correctly a large amount of native code that you don’t believe to be reliable. Oops!

revolution wrote:
But for some reason we are expected to simply allow any and all websites to do whatever they please and never question it, or even consider it might be harmful.

Lie! Webpage JS is limited to the environment that includes DOM and BOM. It can’t do whatever it “wishes”. It doesn’t even do anything by itself since it’s just a text that has no real meaning to hardware.

revolution wrote:
But so many of the links I have shown in this thread tell us otherwise, we can't trust random websites to be all good and honest. There are plenty of scumbags out there very willing to take advantage of those that won't show caution.

Choosing only JS-based attacks on browser implementations and them blaming only JS. What a beautiful (no) manipulation!

As soon as you stop filtering the information it will become obvious that JS is just the particular bus that took the attacker to the crime place. There’re lots of buses out there and many of them have the same number and route. Breaking one doesn’t prevent the attacker to take another or even call taxi.
Post 07 Sep 2019, 16:51
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8504
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
Post 03 Nov 2019, 08:38
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16891
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/

bad news,
Anyone that allows JS is just waiting to be exploited. It a matter of 'when', not 'if', it will happen.
Post 03 Nov 2019, 08:58
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8504
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
is there configuration to prevent favicon GET?
Post 03 Nov 2019, 09:02
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16891
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
is there configuration to prevent favicon GET?
In Chrome? I don't know, maybe.

But I don't think that is a proper solution. Disable JS, problem solved. In fact if you had JS already disabled then you wouldn't need to care about this problem at all.
Post 03 Nov 2019, 09:19
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 604
Location: Belarus
DimonSoft
https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/ wrote:
The exploit used a race condition bug between two threads due to missing proper synchronization between them.

LOL!!! That developers of a shitty browser failed to do proper multithreading is not a JS’ fault. JS is single-threaded by its nature, so it’s developers of Chrome who messed things up. And if the bug exists in a browser, it can be triggered by different means. Even if the bug is in JS engine, it doesn’t make JS a bad idea. That you use a buggy C++ compiler written by 5-years-old Bobby Stupid is not what makes C++ bad, right?

Let’s blame the Internet and URL naming scheme instead. After all, if they didn’t exist, the attacker couldn’t have made a victim to download the exploit in the first place.
Post 03 Nov 2019, 11:52
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16891
Location: In your JS exploiting you and your system
revolution
DimonSoft wrote:
https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/ wrote:
The exploit used a race condition bug between two threads due to missing proper synchronization between them.

LOL!!! That developers of a shitty browser failed to do proper multithreading is not a JS’ fault. JS is single-threaded by its nature, so it’s developers of Chrome who messed things up. And if the bug exists in a browser, it can be triggered by different means. Even if the bug is in JS engine, it doesn’t make JS a bad idea. That you use a buggy C++ compiler written by 5-years-old Bobby Stupid is not what makes C++ bad, right?

Let’s blame the Internet and URL naming scheme instead. After all, if they didn’t exist, the attacker couldn’t have made a victim to download the exploit in the first place.
That was a bug in the JS interpreter. I don't see that it can "be triggered by different means" since it is the JS system itself that has the bug.
DimonSoft wrote:
...it doesn’t make JS a bad idea.
I think it makes JS in a browser a bad idea.
Post 03 Nov 2019, 11:59
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8504
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
in need of a very powerful firewall that could follow our rules,
Post 04 Nov 2019, 11:10
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 604
Location: Belarus
DimonSoft
revolution wrote:
That was a bug in the JS interpreter. I don't see that it can "be triggered by different means" since it is the JS system itself that has the bug.
DimonSoft wrote:
...it doesn’t make JS a bad idea.
I think it makes JS in a browser a bad idea.

So, when yet another bug in HTML or CSS processing appears, will that mean we should stop using HTML or CSS? What about image-processing library bugs causing maliciously-formed images to attack a browser? Should we go back to text-only web? Maybe no web? FTP? BBS? Direct dial-up connections?
Post 04 Nov 2019, 20:53
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16891
Location: In your JS exploiting you and your system
revolution
JS is a needless complication added to a browser for no good reason. Have a look through this thread and see all the problems and exploits that have been enabled by the existence of JS.
Post 05 Nov 2019, 04:14
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 604
Location: Belarus
DimonSoft
Images are also needless. Lynx was amazing. If I need to download an image, I’ll just download it. <svg> element is needless. <style> element is needless. <iframe> element is needless. And don’t even start discussing shadow DOM trees and <template> elements. What about CDATA?
Post 05 Nov 2019, 09:19
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar
Assembly Artist


Joined: 16 Jun 2003
Posts: 7489
Location: Kraków, Poland
Tomasz Grysztar
https://medium.com/better-programming/how-to-design-for-the-web-in-2019-a0be4d6702e2
Pretty much everything I'm doing wrong with this website. Wink
Post 10 Nov 2019, 17:30
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16891
Location: In your JS exploiting you and your system
revolution
Tomasz Grysztar wrote:
https://medium.com/better-programming/how-to-design-for-the-web-in-2019-a0be4d6702e2
Pretty much everything I'm doing wrong with this website. Wink
Haha.

I love the "Use JavaScript" website name.
Post 10 Nov 2019, 17:44
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 640
guignol
the guy is hilarious
Post 11 Nov 2019, 20:46
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 20, 21, 22

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.