JavaScript security: the elephant running in your browser

John Graham-Cumming

Visit any major website, such as a bank or a retailer, and your web browser will run small pieces of JavaScript for web analytics, ad serving, automatic offer targeting or Amazon.com-style recommendations. These so-called tags weren't written by the owner of the website but were provided by a third party. Yet JavaScript's security model, or lack of it, means that any piece of JavaScript in a page can interact with any other piece and with the page itself. So, how does a major bank or retailer know that this code isn't malicious? And where did the code come from? In most cases the website owner has little idea what the codes does, and it typically gets delivered by unsecured email.

This paper and talk look at the risks, both technical and procedural, of the current state of JavaScript page tagging with specific examples from actual websites. It then examines the projects such as CAJA, adSAFE and jsHub that attempt to eliminate this sorry, and potentially disastrous, state of affairs.

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘Always fantastic and memorable, VB is still small and intimate (e.g. vs RSA), yet has the ambience and professionalism of a big budget conference - a perfect balance.’

Poll

Do you use the same password(s) across multiple websites?

Leave a comment
View 4 comments

VB2010

VB2010 will take place 29 September-1 October 2009 at the Westin Bayshore, Vancouver, BC, Canada. Early bird discount available until 15th June 2010.

Virus Bulletin currently has 190,982 registered users.

Fighting malware and spam