Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: Javascript hiding everywhere. - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Javascript hiding everywhere.

Frequent readers will know that we often recommend to ease up on allowing scripting as it's used by the bad guys. XSS bugs are basically so bad, not for the example <sc ript>alert('XSS')</sc ript> (spaces added for the overly paranoid web content filters) you might see, but for much nastier things starting with capturing your cookies (read credentials, session keys etc.). Keyloggers aren't impossible either and making you unknowingly upload files  from your hard disk to malicious websites etc. is all quite possible in javascript.

And if you supposed it stops in your browser seeing javascript in HTML pages themselves, think again:

Quicktime

Apple software designers/coders must have thought it a cool idea to allow javascript inside a quicktime movie. Yep a movie isn't just some moving images, but it can be just as well contain (malicious) code that will be executed by the movie viewer that gets embedded in the pages you show. Didier Stevens has a blog entry about it, explaining it in detail.

Flash

If you use flash, you already have cookies not just in your browser, but also in your flash player. You can see the settings of the flash player's use of such storage here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html . Do take care fiddling with your settings, you can easily make flash not working all that well anymore if you do it a bit too much (speaking from experience here). That settings pane/web page doesn't seem to mention to the casual user that flash also supports javascript, nor that it has already been hit by XSS issues in the past: e.g. this August 2002 article is about one such problem.

PDF

Unfortunately PDF files aren't safe from allowing javascript and have had their share of problems with it as well.

MP3

Contains just music, right? Well many will be copyright lawsuits waiting to happen if you let the music industry, but yep they too can contain scripting. Granted you might need quicktime installed to get to it, but most iPod owners will have iTunes and that comes with Quicktime bundled into it ...

...

Unfortunately there are many more formats that allow remote code execution by allowing scripting or extensive macro languages.

If there's a lesson to be learned, it might well be that you need to continue to look out for scripting languages, cookies and more even hidden in places you might not expect them to creep into.

If you have good workable solutions to prevent scripting in all these media rich formats, let us know.

--
Swa Frantzen -- NET2S

Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!