Re: Active-content filtering (was RE: Buffer Overruns)

["Hazel A. Borg" <hab () powersurfr com>]

I am a web developer who took a course in firewalls which opened up
my eyes to a whole new world.  I have been following the messages in
this group with great interest.  You are correct in the fact that I don't
understand the technology and I was wondering if someone if you could
educate me.  No where in my schooling or the references I use in web
developing is there a mention of the security problems with JavaScript.
All the programs like adobe image ready and macromedia fireworks etc use
JavaScript making features as a major selling point in their software.
In simple terms what is the major risk with JavaScript? Is there a hacking
program out there that uses and writes to the hard drive?  Thanks in
advance for answering such a simple question - just think one web
developer educated - millions more left to go.

> > One or two messages in this thread mentioned some firewalls' ability to
filter
> > out Java[script]|ActiveX from the HTTP stream.
> >
> > Considering the current scenario, where lots and lots of sites with
valid,
> > business-need content, will use client-side scripting|code as
fundamental for
> > functionality (news/stock tickers, client-side input validation,
etc...),
> I VEHEMENTLY dispute that any of these scripting technologies are
*legitimate*
> business-need content.  On the contrary, they are symptoms of "lazy web
developer
> who doesn't understand the technology."  I have never, ever encountered a
web site
> that used Javascript in a way that was actually necessary to perform the
business
> function.  On the other hand, I have encountered many web sites that
failed to
> function properly without Javascript, but only used Javascript for
"glitz", i.e.
> every single Javascript function could just as easily been replaced with a
normal
> URL linking to a page of HTML.
>
> The current trend towards *requiring* Javascript to be able to access a
web site
> horrifies me.  I don't mind if the glitz is there, but the entire site
SHOULD work
> properly without Javascript.  Cute little pages that tell the user to
upgrade
> their browser are wrong:  it is the web site that is broken, not the
browser.
> Using Javascript for cutsiness is fine, but *requiring* Javascript for
> functionality is not fine.
>
> So much for "busienss need".  Now what about the risks?  MOST of the
browser
> vulnerabilites that have been discovered this year have concerned
Javascript
> specifically.  The number two culpret has been Java and JVMs.  To me,
these to
> factors together make an EXCELLENT case for filtering Javascript.
>
> They also make an excellent case for spanking majorly broken major web
sites like
> United Airlines ( http://www.ual.com ) and Continental Airlines (
> http://www.continental.com/dash/build_dash.asp?vs_1999_11_22_00 ) because
they are
> a hazard to Internet security.  Not that they contain hazardous
Javascript, but
> just because they require Javascript they essentially force firewall
admins to
> admint Javascript in general to the site, exposing thousands of businesses
to
> major risks just for the convenience of some lame web developers.
>
> Context:  I run with Javascript disabled in my web browser most of the
time.  When
> I encounter a Javascript site, I mostly just leave immediately and never
return.
> When I have a business need to use the site anyway, I grudgingly do so,
but it
> produces a *very* negative impression of that business in my mind.
Requiring
> Javascript tells me that the business cares more about their convenience
than my
> security.
>
> Crispin
> -----
> Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
> Free Hardened Linux Distribution:                 http://immunix.org