10.4 Scripting languages

10.4    Scripting languages

There are many possibilities to extend the functionality or interactivity of a browser. In the previous section, we saw that helper applications and plugins provide an immediate solution. Similarly, there are some full-fledged programming languages that can be used to implement programs that are executed on the client side. The most important programming language in use today is Java. It can be used to implement Java applets that are executed in a browser s Java virtual machine (JVM). Unfortunately, the capabilities of most programming languages can only be exploited by technically skilled programmers. The creation of Java applets from scratch, for example, is beyond the capabilities of many Webmasters. Also, a full-blown Java applet is overkill for most applications. If a Webmaster only needs to verify that the value typed in by a user is a syntactically correct telephone number, it would be overkill to develop an applet for this purpose (it would also be overkill to make use of a helper application or plug-in). In this situation, the use of a scripting language provides a simple solution.

There is an increasingly large set of scripting languages available today. Some of these languages primarily address the server side, ^[11] whereas others primarily address the client side. Among the second class, the most widely used and deployed scripting languages are JavaScript , ^[12] JScript , ^[13] and VBScript . ^[14] Not all scripting languages are supported by all browsers. For example, VBScript only runs on Microsoft Internet Explorer.

Scripting languages are most often used to control and modify the appearance of a browser. For example, they can make visual elements of browsers appear or disappear, or they can make messages appear in the status lines of browsers. In fact, some of the earliest JavaScript applications displayed moving banners across the browser s status line. Also, scripting languages can be used to create new windows , check or fill out fields in forms, jump to new URLs, process image maps locally, change the content of an HTML file, compute mathematical results, or perform other functions.

The security of a scripting language primarily depends on the power of its commands or methods . For example, if a language has no method to access a file, there is no possibility to maliciously (mis)use code to manipulate a file. Similarly, if the language has no method to establish a network connection to a remote site, there is no possibility to maliciously (mis)use code to export a file. Both of these statements are true for JavaScript. Consequently, JavaScript can be considered a comparably secure scripting language. Unfortunately (from a security point of view), JavaScript is changing rapidly , and Netscape Communications has developed a capabilities-based system that relies on digital signatures to determine which privileges JavaScript code should have. In this system, the security implications are similar to the ones related to Java applets and ActiveX controls (as discussed below).

The most serious threats of scripting languages are related to DoS attacks and privacy violations:

• As mentioned above, scripting languages can be used to do many things that are computationally expensive (e.g., create new windows, compute mathematical functions). Consequently, these languages can be (mis)used to mount DoS attacks against browsers and corresponding clients . ^[15]

• Because scripting language code runs inside a browser, it potentially has access to the same information that is available to the browser. If the code ”maliciously or not ”leaks parts of this information, privacy violations may occur. Many examples of such privacy violations have been reported in the media, and it is possible and very likely that more privacy violations will be found and reported in the future.

More worrisome, scripting languages can be used to mount electronic versions of social engineering attacks.

• For example, the following JavaScript code segment can be used to pop up a window and prompt the user to reenter his or her dial-up password:

  < SCRIPT LANGUAGE="JavaScript" >
     password = prompt("You have lost your dial-up connection.\n
                                           Please reenter your password","");
  < /SCRIPT >

  It is possible and very likely that many users type in their passwords if such a window pops up on the screen.

• Similarly, the status line of a browser normally displays the URL that will be retrieved if the user clicks on an HTML link. By using JavaScript, a user can also be made to believe that one URL actually points someplace else. For example, the following HTML link will display http://www.realshop.com when the mouse is moved over the link, but clicking on the link will actually have the browser jump to the Web site located at http://www.fakedshop.com:

  Click < A href="http://www.fakedshop.com"
             onMouseover="window.status= http://www.realshop.com ;
             return true" > here < /A > to enter the real shop.

Obviously, the two technologies (and many others) can be combined to maliciously mislead users at will.

In summary, one must say that scripting languages, such as JavaScript, JScript, and VBScript, provide interesting possibilities to attack client systems (or the users of these systems), and that these systems should therefore be configured in a way that these languages are disabled. Unfortunately, this is not always possible and an increasingly large number of applications requires support for these languages. Against this background, the use and deployment of code and object signing technologies to authenticate code written in scripting languages is getting more and more important.