CanSecWest conference discussed the dangers of JavaScript
As the importance of JavaScript technology for websites and its application in web 2.0 web pages with interactive elements grows, hackers pay more attention to this scripting language. About the dangers associated with JavaScript, said IT security experts at the CanSecWest conference on Wednesday.
Malicious JavaScript scripts are carefully hidden, said Arbor Networks senior security engineer Jose Nazario. The text of the script is divided into many components, encrypted, diluted with garbage teams. Some scripts even add features that make debugging or running in virtual machines difficult. “Attackers can destroy warnings and all kinds of verification procedures.” Often they even limit the ability to download a script to specific IP addresses. ” For example, antivirus companies that hit a malicious site can get a blank page, while a regular user is an exploit.
Researchers a few years ago warned of future worms that could be distributed through online user profiles using JavaScript scripts. In 2005, such a worm appeared on MySpace. Last year, the writing of malicious code in JavaScript and AJAX was transferred from research to commercial. In February, the IT security company Websense discovered that the Dolphin stadium website was infected with a Trojan JavaScript code: instead of the usual replacement of text on the home page, the attackers had embedded invisible malicious code into it. Further research has shown that dozens of sites have already been infected in this way. And in March, security researcher Billy Hoffman demonstrated a script for a botnet, Jikto, written in JavaScript and running through a browser.
')
Most of the experts who attended the conference agreed that the number of threats using JavaScript will increase over time.
www.securitylab.ru/news/294771.php
- Do you think there is a real increase in hacks precisely because of the spread of JavaScript in website building?
... for me in any scripting language, if the programmer is not competent enough, then these holes will appear mostly not from the ideality of the language, but from the human factor.
Malicious JavaScript scripts are carefully hidden, said Arbor Networks senior security engineer Jose Nazario. The text of the script is divided into many components, encrypted, diluted with garbage teams. Some scripts even add features that make debugging or running in virtual machines difficult. “Attackers can destroy warnings and all kinds of verification procedures.” Often they even limit the ability to download a script to specific IP addresses. ” For example, antivirus companies that hit a malicious site can get a blank page, while a regular user is an exploit.
Researchers a few years ago warned of future worms that could be distributed through online user profiles using JavaScript scripts. In 2005, such a worm appeared on MySpace. Last year, the writing of malicious code in JavaScript and AJAX was transferred from research to commercial. In February, the IT security company Websense discovered that the Dolphin stadium website was infected with a Trojan JavaScript code: instead of the usual replacement of text on the home page, the attackers had embedded invisible malicious code into it. Further research has shown that dozens of sites have already been infected in this way. And in March, security researcher Billy Hoffman demonstrated a script for a botnet, Jikto, written in JavaScript and running through a browser.
')
Most of the experts who attended the conference agreed that the number of threats using JavaScript will increase over time.
www.securitylab.ru/news/294771.php
- Do you think there is a real increase in hacks precisely because of the spread of JavaScript in website building?
... for me in any scripting language, if the programmer is not competent enough, then these holes will appear mostly not from the ideality of the language, but from the human factor.
Source: https://habr.com/ru/post/7421/
All Articles