Paid Advertising
web application security lab

Does Surfing Without JavaScript Make You Secure

Jeremiah Grossman and I have been chatting a lot lately about ways to circumvent restrictions placed on exploitation by users who have turned off JavaScript. Welllll, as it turns out, we actually can still do significant recon without the use of JavaScript or Java or Flash. I think Jeremiah is going to wait until Blackhat Japan, so I’m not going to spill the beans, but from what I’ve seen it really adds another route to doing some of the things I’ve been posting about over the last few months.

But it got me thinking about other issues that I can talk about. For instance, I was visiting what was essentially a hacked site that had a redirection built into a Flash movie. Here I was, with Flash and JavaScript and Java turned off and yet I was still getting redirected. What’s the deal? Well, after doing a little research it turns out that Flashblock requires that JavaScript is turned on. So to turn off Flash, I have to have JavaScript turned on - how is that helping me?

Sure, there are other much more annoying ways to turn off JavaScript and Flash at the same time, but the point being, just when I thought I was safe from certain vectors, they were re-opened by conflicts with one another. This reminds me of a project I worked on once to supply anti-virus software to customers for free, but because of potential liability issues we opted not to because of conflicts with existing software.

The short answer is, no, you definitely aren’t safe by simply turning off JavaScript. Java, Flash, VBScript, ActiveX, and a host of other forms of dymanic content can cause exploitation. Things are pretty broken right now.

4 Responses to “Does Surfing Without JavaScript Make You Secure”

  1. Matt Says:

    unless there was a browser which only showed the text on a page, no images, no colours, no javascript, no flash…nothing except plain black text on a white background, then you might be abit safer when surfing the internet, but even then, it wouldnt be perfect, nothing like perfect.

  2. RSnake Says:

    I think you’re describing Lynx or Links. But as you said those aren’t perfect either… both have had security issues in the past. Very different kinds of security issues than the one’s I’m talking about, but still.

  3. Kassad Says:

    Reading this the first time, I was getting desperate. Many, many risks. But we need all these tools, those are what make the web tick. Thinking along these lines, I think, all our problems come from one point.

    That is the so called “PC-paradigm”.

    Every single person, having a PC, is practically sitting on a “nuclear power plant”. The PC-paradigm, now over 35 years, was great. It was for the pioneers.

    Now, it is over. On two accounts:

    First, the common people have come in. They are in no need of knowledge, they only want to use features. They are excellent candidates to be captured and to be made zombies if they have a computer.

    Second, there is an emerging new paradigm, IMHO, that is the new “supercomputer”, the WEB, itself. With the advent of the “new” technologies” and principles like AJAX and social networking - what we call generally the Web 2.0 - we may use the applications on the web not those on our computer. Also, we may be in a better position as we can use only those features that we actually need and do not have the minefield of the OS and the application, both crammed with unnecessary features and full of possible compromises.

    The less intelligence what has had an “interfacing” device be it a handheld or mobile browser, reader, etc, th less prone to be compromised. The web itself was made with redundancy, invulnerability and distribution in mind. Distributing resources, functions, building up heavy redundancies and using trusted services like Akismet e.g. would make the web rather viable place to live in. That is, I think the Web is in a better position to defend itself than a single user with a personal computer.

    Well, I understand this is a very broad subject.
    I tried to picture what I had in my mind, so bear with me :)

  4. Seek3r Says:

    If you use noscript along with flashblock then you can enable the noscript feature that blocks all flash. Then when you enable scripting for a site which has flash, then you will see the flashblock image to enable it.
    So this means on a site that does not have javascript allowed in noscript, then no flash will be run either.