JavaScript is an object-based, scripting language developed by Netscape and made available with the Netscape browser in December of 1995.  Microsoft created JavaScript for Internet Explorer soon after realizing the potential of JavaScript.  Both are extensions of the international ECMA-262 standard. 

JavaScript interacts with HTML source code so as to transform web pages into dynamic and interactive sites.  Due to the fact that web creators can use it to add flair to web content, it is used throughout the world with millions of server applications and web pages.  The syntax is similar to C++ and Java.  Although Java and JavaScript are both offshoots of the C programming language, there is no relationship between these two.

Security Concerns

There have been considerable security issues with JavaScript as it can arbitrarily run code provided by servers.  It is considered an attack vector as hackers can bypass barriers using techniques such as cross-site scripting (XSS).    Java also suffers similar issues but there are typically not as serious due to the use of self-contained security mechanisms known as “sandboxing”.  The kinds of vulnerabilities seen with scripting have been used recently to bring about powerful browser exploits and phishing attacks so as to fraudulently obtain sensitive or confidential information.

Prevention?

In order to avoid malicious attacks and issues related to system vulnerabilities, HTML special characters would need to be encoded for any data that could be considered a threat.  This would need to occur before the display of the web information and there are several programming languages that provide this encoding which is known as “escaping” or “quoting”.  The downside is that this disables particular functionality for web applications (specifically those for web mail and forums). 

There are applications that strive to encode or remove all HTML that is potentially malicious but, due to the complex nature of this endeavor, it is difficult to know how thorough the process is in catching all the offences.  This is largely due to the fact that the scripts are closely tied into the HTML syntax and considerable interpretation would have to be provided to determine how servers resolve or fix broken HTML.

There are web programs that are available that enable users to disable client-side scripting.  This would prevent falling prey to attacks related to cross-site scripting.  However, some tactics can still be applied to trick users such as loading external content with special tags “<” “>”.  Users can also disable running scripts for particular web sites using their web browser settings.  However, this requires knowing the sites that contain malicious scripting mechanisms beforehand.  Also, some sites do not function properly with these restrictions in place.

Solutions

Reliance on good web programming is a necessity. There is little a user can do to provide protection - the burden of providing safe, online activities typically rests on web developers.  Some of the top web companies such as eBay, Microsoft and Google have had to address scripting vulnerabilities.  Validation of user submitted scripts and fixing cross-site scripting vulnerabilities are solutions needing to be addresses on the server side.

We are still in the early stages of scripting attacks but due to the popularity of this kind of JavaScript functionality and, with malware creators turning to more sophisticated and stealthy tactics, it is likely we will see more issues related to malicious scripting.  Adhering to best practices is highly recommended but cannot, in all situations, provide sufficient protection from malware attacks.  There attacks can be a serious matter with respect to loss of confidential information.