Javascript security breaches

Javascript has been extensively used for several years ever since it was first developed by Netscape in 1995. It has virtually revolutionized the way the Internet and websites work by adding functionality that is lightweight yet feature-filled. Ad servers use javascript to display ads on websites, ads are virtually bread and butter to the website publisher and is thus responsible to several successful, established and useful websites. Apart from ads Javascript is also used to add graphical effects as well as several other functions to websites.

Like most good things however, there is a catch. Javascript has been responsible for several security vulnerabilities over the years. While the language is widespread and has been continually tweaked and undergone several revisions it is still insecure. One prime example is FredsCars.net, a popular car auction site that was turned into a small static html page simply because they couldn't control the site's behavior due to the JavaScript vulnerabilities...

First of all, Javascript code can be developed to deliberately execute malicious code to a user's system within the boundaries of the programming language however there is little or no security in preventing damage or issues with such code in web pages in a browser. The only assurance would be to visit websites that are trusted and reputed and stay clear off websites recommended or encouraged from unsolicited sources. While certain security features against malicious code have been implemented in today's browsers to comply with web standards, sufficient damage can be made without breaching the restrictions made by the browser.

As javascript can be dynamic and executed remotely, another factor to look into to maintain security with javascript is the code itself. Is part or all of the code remotely executed on another domain? If so it is important to be aware of when these domains expire if they are trusted or to make sure that these domains are authoritative. Third party javascript code, widgets and also ad servers usually execute code off another domain and can be easily manipulated to exploit the website if the domain is later possessed by another owner.

Javascript security is mainly related to phishing attacks intended to trick users to divulge credit card information and other financial and personal data; this is mainly done using the redirection function in Javascript. Fortunately, in current times, with the sophisticated security measures provided by leading web browsers like Mozilla's Firefox, Javascript is slowly taking the backseat as far as security threats are concerned while spyware and other techniques are used to exploit Internet users.