Study: One-Third Of Websites Use Outdated, Insecure JavaScript Libraries

Status
Not open for further replies.

Morbus

Honorable
Nov 30, 2013
252
0
10,810
There's no such thing as an insecure JavaScript library, is there?
I'm not an expert, but if it's client-side, you can use whatever library you like, there's no point in security, because the user is always king.
I could be wrong, of course, but I don't really see an instance where JavaScript security is ever a thing. It's like locking your curtains or covering your money with a drinking glass.
 

brucek2

Distinguished
Dec 31, 2008
117
0
18,680
@Morbus, I had the same thought. Since any user can substitute their own JavaScript any time, if there's any insecurity here it feels like it must be in the web standards or their implementations themselves.
 

michalt

Distinguished
Jun 20, 2010
18
1
18,515
@morbus A lot of web sites are developed using server side JavaScript. Look up node.js as one of the recently popular development stacks.
 

brucek2

Distinguished
Dec 31, 2008
117
0
18,680
Fair enough, but this particular study must be talking about client side JavaScript, no? Because they wouldn't have access to know what was running on the server...

 

Marissaryan

Prominent
Mar 20, 2017
1
0
510
Could there be MORE ads on this site? I was going to share this article on my social profiles, but i dont feel comfortable sending my audience to such a spam-filled landing page.
 

B_Sterner

Prominent
Apr 13, 2017
1
0
510
@morbus, only as a quick example.

A page pulls information from the URL with client-side JavaScript. In the function that handles the path, there is a eval() statement. Now someone posts a link on a website to the new article/post on somesite.com and slips some code in the link.

- This code in the link is then evaluated, runs a script and sends your cookie information, username, anything it can get, to a remote server. Perhaps on a payment site in forwards your payment info next time you purchase something.

- Maybe the bad link dynamically changes the download link of a download page. The installer thinks they are downloading something from the current site, but it instead downloads from evilsite.com.

- Maybe someone has figured a way to upload a script on sub-domain.somesite.com. Now they set document.domain = "somesite.com" and then uses an altered link to incorporate that script. Now that script will run as if from the same domain.
 
Status
Not open for further replies.