2020-12: another reason why JavaScript SUCKS badly and websites NEED TO WORK without JS: it might “destroy” NAT security:
NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.
2019-04: Chrome Sandbox exploit “pop calc” https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html
(search for it there are more cases of this)
… the list of JavaScript security problems is almost endless… turning “surfing the www” into a dangerous endeavor. (every click, every website, could be “the last” for one’s holiday pictures (there were not backed up to two external harddisks, one complete copy ALWAYS residing off-site in a fire-proof safe, no?) because ransomeware will encrypt them and present one the “bill” for it’s efforts.
We all – except Node.js people and those that want JavaScript to control nuclear power plants – have seen it coming: JavaScript = running server downloaded code inside client is “great” but comes with massive security problems.
Stallman Anti-JavaScript rant: https://www.gnu.org/philosophy/javascript-trap.en.html
(i think he complains more about, that most JavaScripts don’t come with a licence)
Intranet use – okay – Internet/Web-use – not okay.
Any page that does not render it’s content text/pictures properly without JS SUCKS!
Do i hate JS?
partly. For me it always felt “sluggish”, slow and unreliable – one browser does JS it better/faster or not at all than others on the other side it makes the web more alive more animated more vibrant more interesting – but also more annoying.
JS is a security problem:
The lesser problem: nasty popups, hidden windows in the background, spying and privacy problems: some viruses you can get simply by visiting a website with an outdated OS/browser and JavaScript enabled.
Not only – does it seem possible to do side-channel attacks (super mega slow but possible) on intel cpus with out of order execution e.g. theoretically read browser passwords from a firefox web client.
Conclusion: if you build platforms – and you can avoid JavaScript? do it.
“In this paper, we presented Rowhammer.js, an implementation of the Rowham-
mer attack using fast cache eviction to trigger the Rowhammer bug with only
regular memory accesses. It is the first work to investigate eviction strategies to
defeat complex cache replacement policies. This does not only enable to trigger
Rowhammer in JavaScript, it also benefits research on cache attacks as it allows
to perform attacks on recent and unknown CPUs fast and reliably. Our fully
automated attack runs in JavaScript through a remote website and can gain
unrestricted access to systems. The attack technique is independent of CPU
microarchitecture, programming language and execution environment.
The majority of DDR3 modules are vulnerable and DDR4 modules can be
vulnerable too. Thus, it is important to discover all Rowhammer attack vectors.
Automated attacks through websites pose an enormous threat as they can be
performed on millions of victim machines simultaneously”
src: Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: Proc. of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2016)
JavaScript security defeats TOR Browser + NoScript plugin:
i guess an update will fix that?
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript ‘Safest’ security level (supposed to block all
JS).
PoC: Set the Content-Type of your html/js page to “text/html;/json” and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
src: https://twitter.com/Zerodium/status/1039127214602641409
possible solution?
So maybe the solution is to allow only to run JS on sites/servers/intranet that you 100% TRUST and explicitly allowed on a whitelist.
And those intranet sites and servers are shielded against hacks/viruses and someone altering your code.
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!