Professional Documents
Culture Documents
Afnan AlOmrani.
King Saud University, Information Technology Department
Riyadh, Saudi Arabia
afno_89@hotmail.com
ABSTRACT
Security is an essential component in the structure for web applications (such as web sites). Most of these
applications use java script, which can give interacting webpages and handling dynamic pages. So when a
designer or developer wants to design/develop web page he/she must consider securing the JavaScript to
make web pages more secure and robust.
Keywords
Java, JavaScript, Security, Sun Microsystems, Netscape, CrossSite Scripting.
1.INTRODUCTION
This paper will discuss JavaScript definition, its benefits, futures, and how to secure it.
First this paper will talk about what is a JavaScript. Then, what its benefits and features that makes
JavaScript powerful scripting language. After that, it argues about JavaScript security. Finally, it concludes
with recommendations about how to use JavaScript in a secure way.
2.JAVASCRIPT AT GLANCE
JavaScript was first developed by Netscape as an open scripting language to create interactive web pages. It
was named LiveScript. In the late 1995 LiveScript became a joint venture of Netscape and Sun Microsystems
and its name was changed to JavaScript [6].
Script is a small program that is very easy to learn and use. Using JavaScript enables creating objects,
attaching methods and properties. Although JavaScript can run on both clientside and serverside, it is very
popular among clientside scripting languages. Client side means the script runs on client browser embedded
in the header of web pages.
2.1JavaScript Definition
JavaScript is a clientside script language that can be embedded into HTML pages to create interactive
elements [4].
2.2JavaScript benefits and features
JavaScript plays very important task for adding interactive feature to HTML web pages. JavaScript can
handle several events that occur on webpages and therefore help in designing dynamic and interactive
website. Moreover JavaScript makes it very easy to validate a form, check if any fields are empty and verify
correctness of data. JavaScript does all these at client side even before actually sending the data to server, in
that way it reduce huge load on server and then makes form processing easier and quicker.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies
are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy
otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission.
The First MiniConference in Web Technologies and Trends (WTT)
© 2009 Information Technology Department, CCIS, King Saud University, Riyadh, Saudi Arabia
There are many features for JavaScript such as [1]:
• Interact with the HTML forms:
This is an important feature as it interacts with HTML forms. This feature is provided by the Form object and
the form element objects it can contain like: Button, Checkbox, Radio ...etc.
• Handles Dynamic Effects:
JavaScript is a powerful scripting language which has features to achieve dynamic effects in web pages.
• Control the Browser:
There are many JavaScript objects that allow control over the behavior of the browser. For instance, The
Window object supports methods to show dialog boxes, to display simple messages to the user or messages
that in the status line of any browsers window, and get simple input from the user. The Location object allows
downloading and displaying the contents of any URL in any window or frame of the browser. The History
object enables moving forward and back within the user's browsing history, simulating the action of the
browser's Forward and Back buttons. The Screen object provides information about the size and colour depth
of the monitor on which the web browser is being displayed.
• Control Document Appearance and Content:
The JavaScript Document object, through its write( ) method allows writing arbitrary HTML into a document
as the document is being parsed by the browser. For example, you can include the current date and time in a
document or display different content on different platforms. Also, using the Document object generate
documents entirely from scratch.
• Interact with the User:
An important feature of JavaScript is the ability to define event handlers. For example, move the mouse over
a link, enter a value in a form, or click the Submit button in a form. This eventhandling capability is important;
because programming –for example HTML forms, inherently requires an eventdriven model.
2.3JavaScript Security
Any time that programs (such as JavaScript scripts) are included within shared documents, particularly
documents that are transmitted over the Internet or by email, there is a potential for viruses or other malicious
programs [2].
JavaScript has its own security model. This security model is designed to protect the user from malicious
Web sites, and as a result, it enforces roles on what the page author is allowed to do. Moreover, it is not
planned to replace proper security measures, and should never be used in place of proper encryption [3].
JavaScript has a great feature in security that does not provide any way to write or delete files or directories
on the client computer. With no File object and no file access functions, a JavaScript program cannot delete a
user's data or place viruses on the user's system [2].
In addition, JavaScript has no networking primitives of any type. A JavaScript program can load URLs and
can send HTML form data to web servers, CGI scripts (Common Gateway Interface), and email addresses,
but it cannot create a direct connection to any other hosts on the network. This means, for example, that a
JavaScript program cannot use a client's machine as an attack platform from which to attempt to crack
passwords on another machine [2].
From a privacy point of view, when you browse the Web, one of the pieces of information you are by default
agree to release about yourself is which web browser you use. As a standard part of the HTTP protocol, a
2
string identifying your browser, its version, and its vendor is sent with every request for a web page. This
information is public, like the IP address of your Internet connection. However, other information should not be
public such as your email address, which should not be shown unless you choose to do so by sending an
email message or authorizing an automated email message to be sent under your name. There are large
amount of good reasons to be concerned about data privacy. One reason, for example, is a practical concern
about receiving electronic junk mail (spam) and the like. JavaScript program loaded from the Internet and
running in one web browser window should not be able to start examining the contents of other browser
windows that contain pages loaded from the intranet [2].
To mention part of browser security problems with JavaScript, there are numerous ways in which scripts can
affect the user’s execution environment without violating any security policies.
• Bombing Browsers with JavaScript [5]
The amount of resources a browser is granted on the client machine is largely a function of its operating
system. Unfortunately, many operating systems will continue to allocate CPU cycles and memory beyond
what may be reasonable for the application. It is all too easy to write JavaScript that will crash the browser,
both by design and by accident.
The content of the next several sections is designed to illustrate some of the main problems browsers have
with denialofservice attacks, with the "service" in this case being access to an operating system that
behaves normally. The results will vary from platform to platform, but running any one of these scripts has the
potential to crash not only the browser but also your operating system itself.
• Infinite Loops
By far the most simplistic (and obvious) way to cause unwanted side effects is to enter an infinite
loop, a loop whose exit condition is never fulfilled. Some modern browsers will catch and halt the
execution of the most obvious.
• Memory Hogs
one of the easiest ways to crash a browser is to eat up all the available memory.
• Using the Browser’s Functionality
a popular variation on theme is a script that writes <frameset> elements referencing itself,
thereby creating an infinite recursion of document fetches. This prevents any user action because
the browser is too busy fetching pages to field user interface events.
• CrossSite Scripting
Not all security problems related to JavaScript are the fault of the browser. Sometimes the
creator of a Web application is to blame. This exceedingly undesirable behavior is known as
crosssite scripting (commonly referred to as XSS). It allows JavaScript created by attackers to
be "injected" into pages on your site.
Crosssite scripting attacks aren’t limited to stealing cookies. Anything undesirable that is
prevented by the same origin policy could happen.
However, there are two approaches that may prevent crosssite scripting attacks. The first is to
always ensure validate user input at the server (e.g. in CGI, PHP …etc); that is, submitted form
values to be checked against regular expressions that are known to be "good" (or use equivalent
logic to make the determination). This is as opposed to checking values for undesirable
characters, which we term "negative" validation.
3
The second approach is to always HTMLescape data before writing it into a Web page. HTML
escaping replaces meaningful HTML characters such as < and > with their entity equivalents.
Doing so ensures that even if malicious input makes it past your input validation code, it will be
rendered harmless when written into the page.
3.CONCLUSION
Designers of JavaScript should be aware of these security issues and take care to prevent granting
JavaScript programs the power to perform damaging acts. Also, privacy issue is very crucial; therefore,
JavaScript programs must not be allowed to export information about the user of a browser when that
information is supposed to be private. In addition, browsing history (the record of which sites already visited)
and the contents of bookmarks list should remain private. Browsing history and bookmarks say a lot about
user interests
4.REFERENCES
[1] Flanagan, David. JavaScript: The Definitive Guide. 2001.
<http://docstore.mik.ua/orelly/webprog/jscript/ch01_06.htm>
[2] Flanagan, David. JavaScript: The Definitive Guide. 2001.
<http://docstore.mik.ua/orelly/webprog/jscript/ch21_01.htm>
[3] HOWTOCREAT. Located on the Internet at http://www.howtocreate.co.uk/tutorials/javascript/security. Last
visited: 15 December, 2008.
[4] IMPNERD. Located on the Internet at http://impnerd.com/glossaryofwebterms. Last visited: 13
December, 2008.
[5] Powell, Thomas, and Fritz Schneider. JavaScript: The Complete Reference.2004.
<http://www.windowsitlibrary.com/Content/1160/22/1.html >
[6] Sebesta, Robert w. Programming the World Wide Web .New York.2007.