Monday, August 06, 2007

JavaScript is just evil (for you) [ Part I ]

This is the first of 3 parts of the document entitled: "JavaScript is just evil".

Here are the first 2 chapters.

1.- DoSing the browser

You wont learn anything new in this first chapter, is just a set of examples.

2.- Injecting code and tracing stack

Here we will see some attack vectors for chrome privilege escalation.

In them will demonstrate by several code examples, how JavaScript can be used for evil uses.

This started a while ago, when, while chatting with Giorgio Maone, and showing him an example that crashed Firefox (using intervals), he said as response.. "there's nothing we can do, javascript is just evil"..

The phrase "javascript is just evil" captivated me in such a way, that I started thinking in which ways javascript could be used for evil.

Now, I divided the document in 3 sections, and them divided into 5 chapters.

    JavaScript is just evil (for you).

  1. DoSing the browser

  2. Injecting code and tracing stack

  3. JavaScript is just evil (for your server).

  4. XSS Worms

  5. DOM Level XSS

  6. JavaScript is just evil (for your local files).

  7. Local Files Privileges and HTA's

I hope you like them!


  1. Interesting research. Some would plain call it the 'AOP features' of JavaScript - others might see grave security problems in relation to XSS ;)

    I once installed a client side security monitor for a client which extended common XSS probing methods like alert and document.write with a JSOD based logging hence all client side application logic used console.log|dir for debugging purposes.

    What I didn't know was how to monitor the changes of variable values - very interesting stuff!

  2. Glad you liked it mario!

    Unfortunately that's only available on firefox..