Category Archives: Javascript

Javascript security

the state of Mixed Mode

browsersecurity
When a browser grabs a webpage over HTTPS, *nobody* (aside from revelations that governments can see our SSL traffic) can see what’s happening between your browser and the target webserver.  You are protected against the prying eyes of an evil network admin, proxy admin or even government.

Modern websites often import JavaScripts files from multiple sources, to have extra functionality (Facebook’s like button, widgets) or entire frameworks such as JQuery or YUI.  If these JavaScript resources are loaded form a non-SSL location, we refer to this usually as Mixed Content mode.  I did some research to find out how browsers handle these things; both on desktops as well as mobiles.

Please run the tests on https://bloat.io/mm/, it looks *very* rudimentary, but I am gathering some information from different browsers.  Let the page load for a few seconds, and everything gets logged in a database.  As a “visual”, the more “warning icons” you see, the more vulnerable your browser is.

Don’t worry, it won’t try to exploit anything or crash.

Javascript rails

Rails, what’s wrong with serving static JS and CSS files?

For a new web project, I’ve been looking at Rails 3.1, the latest update of the popular Ruby on Rails web application framework.

Although I just started on it, and haven’t seen all the goodness, one thing that raised my eyebrows is how static content a la CSS and JavaScript is handled, through an asset pipeline.

In a nutshell, since I’m doing the JQuery bit of the site now, wouldn’t it make much more sense to fetch the libraries from CDN’s, cache the remaining recurring libraries in Nginx (or Apache), and leaving the page specific bits in one big <script> tag, instead of pushing all in a bloated application.js page?

Then again, although I think Rails was what the web community needed, I always had my ideas about frameworks.

Thanks,
Michael

Javascript security web

JQlog: JQuery Keylogger, or why not to trust your proxy admin.

Note that this post is for awareness and educational purposes only. I do not encourage, and cannot be held responsible for malicious actions using these tools.

The Internet, as it is today, is a mash-up of JavaScript enabled services, often included from external websites. Internet companies offer so-called widgets, which are JavaScript tools that can be used in your own page. Popular examples of this are site analytics (Omniture, Google Analytics, etc) or share-abilities (AddThis, AddToAny, …). It’s by overwriting Javascript libraries on a page, that we can do other things, such as recording keystrokes.

“Overwriting” javascript libraries, or rather “inserting javascript” can be done in several ways. Cross Site Scripting is one of them, but for the sake of this blog post, I will act as a malicious proxy administrator, and overwrite the Google Analytics DNS entry (www.google-analytics.com) and “fake” the ga.js javascript file.

For this, you’d need only 2 files:

This javascript file, found here, holds 3 parts: JQuery, a base64 encoder and the keylogger code itself: read more »