JavaScript security: the elephant running in your browser
John Graham-Cumming
Visit any major website, such as a bank or a retailer, and your web browser will run small pieces of JavaScript for web
analytics, ad serving, automatic offer targeting or Amazon.com-style recommendations. These so-called tags weren't written
by the owner of the website but were provided by a third party. Yet JavaScript's security model, or lack of it, means that
any piece of JavaScript in a page can interact with any other piece and with the page itself. So, how does a major bank
or retailer know that this code isn't malicious? And where did the code come from? In most cases the website owner has
little idea what the codes does, and it typically gets delivered by unsecured email.
This paper and talk look at the risks, both technical and procedural, of the current state of JavaScript page tagging
with specific examples from actual websites. It then examines the projects such as CAJA, adSAFE and jsHub that attempt
to eliminate this sorry, and potentially disastrous, state of affairs.
Quick Links
When do you install software updates?
Leave a commentView 12 comments

- virusbtn: RT @emailsecmatters: The typical spam message has sources as diverse as the spam lunch meat: http://ht.ly/2yucd
2 hours ago
- virusbtn: Can anyone write a rap about our RAP tests (http://bit.ly/255ySQ) and submit it to the Symantec competition http://bit.ly/bOJg8r
5 hours ago


With another epic haul of 54 products to test this month, the VB test team could
have done without the bad behaviour of a number of products: terrible product
design, lack of accountability for activities, blatant false alarms in major
software, numerous problems detecting the WildList set, and some horrendous
instability under pressure. Happily, there were also some good performances to
balance things out. John Hawes has the details.
See full results.
Virus Bulletin currently has 208,224
registered users.