Does JavaScript Pose A Security Risk?

Javascript is a silent threat!

Professional JavaScript for Web Developers
essential guide to next-level JavaScript development…

I no longer am able to imagine the current structure of the web without JavaScript. This is about online applications in form of traditional websites, otherwise traditional web interfaces won’t be able to handle the applications and web would collapse without JS!

That does not mean I am a fan of JavaScript in terms of security even though I am a JS coder myself. Because with all that sandboxing and native security countermeasures, the way we use it today is risky. What level of risk and threat model? It depends on what type of internet user we are dealing with.

As user with limited internet browsing scope, whether home user or a corporate user with restrict and secure corporate policies, risk is very low. Assuming user has a limited number of trusted sources to browse so exposure is only to the known codes and applications.

Javascript threat is completely out of scope of general endpoint protection solution

How JavaScript Works
Most of our languages are deeply rooted in the paradigm that produced FORTRAN…

As a user with wide range of random and unknown sites and applications, home or corporate, the possibility of facing a malicious Javascript is so high. This is either directly from malicious codes like browser extensions and add-ons or indirectly from malicious Ads and other type of metadata. Let’s list some of the common scenarios:

    null
  • Malicious Javascript in a browser extension records everything you do online
  • Malicious Javascript in a hijacked Ad redirects to any malicious destination
  • Malicious Javascript within a page mimics joining by Google, facebook, or Microsoft account and steals credentials
  • Malicious Javascript renders the content and mislead the visitor

The possibilities are endless when it comes to creative malicious content. But again, how can you even thinking about Not using most reputable Net applications by disabling Javascript?

JavaScript: JavaScript Programming.A Step-by-Step Guide for Absolute Beginners
some of the best resources to learn JavaScript from scratch…

The beauty of JS from a hacker POV is that, it does not matter what type of protection you have: a basic anti-virus or the most sophisticated EDR; none our capable of handling many types of malicious Javascript code. That means the threats are totally out of scope of general endpoint protection and all those solutions which majority of technology currently relying on.

Author: Kaveh Mofidi

Still waking up every morning with so much passion just to do one thing: find simple solutions for big complicated issues! and seriously information security and computers are so fun to play with, but those are not a big deal, we need to find solution for unlimited energy, drinkable water, food, shelter, jobs, war, injustice... those are our real problems on the Earth!