Javascript is dangerous. You may have heard this a lot of times. However, it is essential to around 90% of web applications. Basically anything that a user (the client) can interact with runs Javascript in the browser.

In the hands of unethical hackers, it can be used to steal your data, even when you’re not even looking. The simplest way to put it is, keeping Javascript locked down is difficult. Let’s see how and why here.

How Does Javascript Work On Web Pages?

Javascript is popularly referred to as the language of the web. Every recent web browser attempts to speed up the language’s execution higher than its previous performance. A browser’s typical mode of operation is to fetch pages that have Javascript code embedded in them.

Afterwards, depending on what the Javascript is programmed to do, it may execute immediately or wait for a trigger. Such triggers can be clicks or other user interaction. Lastly, after everything is set, the code begins to execute line by line.

So, if Javascript’s code is embedded right in a web page, it can provide additional characteristics to the webpage. This is what most black hat hackers prey on. Another vital part of Javascript is its library. The library is compiled of prewritten Javascript files, which makes Javascript-based applications easy.

This means to use Javascript effectively; you may need a library. The functions embedded in this library allows you to accomplish some crucial tasks on your webpage. Wondering what a vulnerability in the Javascript library would mean? A bad actor can reverse engineer it and discover vulnerabilities, and then create exploits for them. These exploits could affect millions of browsers and users; it’s pretty dangerous. 

Javascript libraries can be abused, leading to some pretty awful scenarios. In a nutshell, they make compromising your browser a piece of cake for hackers. Almost every website operating on the internet uses Javascript libraries, with JQuery being the most popular. 

How Can Black Hat Hackers Exploit Javascript?

Black hat hackers as they’re popularly known, hunt for vulnerabilities that exploits can be created for. These exploits can be used to attack the web server or user’s browser. These are categorized as “client side” & “server side” attacks.

Sometimes the attacker may not need to attack the user directly with a phishing link. Sometimes if the web application is vulnerable enough, they can embed malicious code into the web servers’ web root, configuration file, or a vulnerable input field.

Only part of the embedded Javascript is needed to record or monitor any web page activity. Let’s consider some web application attacks.

Cross-site Scripting (XSS)

One of the common misuses of Javascript is cross-site scripting (XSS). XSS allows black hat hackers to embed malicious Javascript code into a website or web application. The malicious Javascript payload gets executed in the browser of a user who enters such websites, compromising their browser or stealing their cookies.

If this happens on a website that takes care of sensitive user information like financial data, this information can be stolen. In worst cases scenarios, XSS can be used to modify or reproduce malware as a worm virus. 

Another attack referred to as cross-site request forgery (CSRF) is also popular to attackers. This is a type of attack in which a logged in user session  with an application is forged on the attacker’s side, making it possible for the hacker to make forged requests to that application on the user’s behalf. This can lead to fraudulent transfer of funds, account setting changes, and device or browser compromise.

A popular tool that hackers use are the browser exploitation framework (BeEF). BeEF uses a browser based admin page where you can control or send social engineering attacks to the victim’s browser. What needs to happen before the hacker can do this however, is the victim needs to click on a malicious phishing link or attachment first. This will “hook” the victim browser, allowing the attacker control over it. This “hook” is also called a BeEF hook.

Once a browser is hooked, BeEF can be used for:

  1. Speaking or recording voice or video via webcam
  2. Sending pop-up messages to the browser
  3. Redirecting the user to impersonated login web pages
  4. Viewing browser history, saved user credentials for logins, and cookies

Here are a few screenshots of BeEF.



SQL Injection (SQLi)

Structured Query Language injection attacks are very sophisticated. Hackers may be able to initiate malicious queries against the database for your site. The database will sometimes be an SQL, NoSQL, MariaDB, or OracleDB database. These databases store information in databases, tables, and columns. The information you might see is a list of usernames or product ID’s.

Here’s an example of this kind of attack. 

A command like ‘ or 1=1– evaluates to a true constant and returns all rows in the table when successful (if the database is vulnerable). This query can be input into any and all user input fields for testing.

How Do I Mitigate XSS and Save my Browser?

XSS attacks can be mitigated which is the good news. The web application can validate form fields and by not allowing a user to directly enter input on the web page. 

How do I validate form fields? Frameworks assist in making sure that user-submitted forms are filtering out non-safe characters. A typical example is Django’s built-in field classes. They provide fields that approve some commonly used types and point out normal defaults.

On the client’s side there are things you can do to avoid falling victim to XSS. This includes not clicking any phishing link  or attachment that you haven’t verified, giving out personal information to websites, phone callers, or strangers that message you out of the blue, and downloading less than legitimate software.

Conclusion 

Antivirus tools can’t prevent every XSS client attack from happening. This means a lot of vigilance must be practiced on the user side. Using security best practices, you should be safe for many scenarios.

However, enterprises can implement strict controls such as Content Security Policy (CSP), cross-origin resource sharing (CORS), and same-origin policy (SOP). These policies can be integrated into the development process., making the application much more robust than others.