Java/JavaScript DoS

[ian () HARVESTROAD COM AU (Ian McKellar)]

--I+Z3u+9OQ7kwn0Nt
Content-Type: text/plain; charset=us-ascii

Hi,

I was reading through my friendly `Webmaster in a Nutshell' O'Reilly book, and
I came across a reference to the creation of Java objects from JavaScript
i.e.:

<SCRIPT LANG=JavaScript>
var s=java.lang.System;
s.out.println("this is a test");

// or even

var r=new java.lang.String("this is a string");

</SCRIPT>

This intreaged me, so my mind turned (as it does) to matters of security. One
think you can't do with these dynamically created Java objects is make any
outbound network connections, or successfully receive and incoming connections.

One concerning thing you can do is:

javascript:while(true) { (new java.awt.Frame("DoS!")).show(); }

This will very quickly open lots of windows you can't close.

I don't see these as serious issues, but something that we should be aware of.

Ian

--
Ian McKellar           imckellar () harvestroad com au
Web Author                   Phone: +61 8 9389 6200
Harvest Road Communications    Fax: +61 8 9389 6201
Finger ian () harvestroad com au for my Public PGP Key

Copyright (c) 1997 Ian McKellar, All Rights Reserved. Publication or
distribution without the prior consent of the copyright holder is prohibited.

--I+Z3u+9OQ7kwn0Nt
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNB91+Oc73mdZIn3VAQHP/wP/f902JGK2uqTGKy1NhlQ/mkIT+UBZS8eF
hKde4CE4302SJWx+9DGqN6Of6XUb6defNXp7MyorHAHcqWAooWtRPWOC8aRUxNKR
Ejn6iw2r+bMKF/Z4zSQPCfmbxbcXWHtyIvEjDMnQ9yi3KG4udMwi9gMjneY3chKI
9fZhqNSB2TA=
=2zdf
-----END PGP SIGNATURE-----

--I+Z3u+9OQ7kwn0Nt--