JavaScript: Difference between revisions
added tone notice - right now it reads a bit like a 'I hate javaScript' essay - and see discussion for my thoughts on relevancy |
"security nightmare" is actually just a risk, thanks to TS and ESLint (and other tools) |
||
| Line 16: | Line 16: | ||
*[[Personalized Ads|'''Targeted ads''']]: JS makes it harder for [[Ad block|ad-blockers]] to block ads, since it can be used to make overly-dynamic ads. The data collected by malicious JS makes it trivial to serve personalized ads, even across unrelated sites. | *[[Personalized Ads|'''Targeted ads''']]: JS makes it harder for [[Ad block|ad-blockers]] to block ads, since it can be used to make overly-dynamic ads. The data collected by malicious JS makes it trivial to serve personalized ads, even across unrelated sites. | ||
*'''Market control''': JS (alongside [[wikipedia:WebAssembly|Wasm]]) are built into almost every web-browser and UA, including "light-weight" ones (such as [[wikipedia:W3m|w3m]]). Incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability". Some people say that JS shouldn't even be a Web Standard,<ref>https://daringfireball.net/linked/2017/06/22/navistone-form-data</ref><ref>https://daringfireball.net/linked/2017/06/27/web-without-javascript</ref> implying that it should be an [[wikipedia:Browser_extension|extension]] or [[wikipedia:Plug-in_(computing)|plug-in]] (such as Java Applets and [[Adobe]] Flash) the user willingly installs; this would reduce the incentive to use JS, as there's no guarantee the user has it. | *'''Market control''': JS (alongside [[wikipedia:WebAssembly|Wasm]]) are built into almost every web-browser and UA, including "light-weight" ones (such as [[wikipedia:W3m|w3m]]). Incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability". Some people say that JS shouldn't even be a Web Standard,<ref>https://daringfireball.net/linked/2017/06/22/navistone-form-data</ref><ref>https://daringfireball.net/linked/2017/06/27/web-without-javascript</ref> implying that it should be an [[wikipedia:Browser_extension|extension]] or [[wikipedia:Plug-in_(computing)|plug-in]] (such as Java Applets and [[Adobe]] Flash) the user willingly installs; this would reduce the incentive to use JS, as there's no guarantee the user has it. | ||
*'''Security | *'''Security risks''': JS is well-known for being a poorly-designed tool.<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://wiki.theory.org/YourLanguageSucks#JavaScript_sucks_because</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that JS is [[wikipedia:Turing_completeness|Turing-complete]] (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]) is a recipe for disaster, as it makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in many cases. The most common vulnerabilities found are: | ||
**[[wikipedia:Cross-site_scripting|XSS]], which [[wikipedia:NoScript|NoScript]] tries to mitigate | **[[wikipedia:Cross-site_scripting|XSS]], which [[wikipedia:NoScript|NoScript]] tries to mitigate | ||
**[[wikipedia:Arbitrary_code_execution|Arbitrary code execution]] and [[wikipedia:Code_injection|code injection]]. Typically caused by <code>[https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval eval]</code> (part of the ECMAScript spec), but there are Web APIs (such as <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setTimeout setTimeout]</code> and <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setInterval setInterval]</code>) that can be misused as well. | **[[wikipedia:Arbitrary_code_execution|Arbitrary code execution]] and [[wikipedia:Code_injection|code injection]]. Typically caused by <code>[https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval eval]</code> (part of the ECMAScript spec), but there are Web APIs (such as <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setTimeout setTimeout]</code> and <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setInterval setInterval]</code>) that can be misused as well. | ||
**Remote code execution. This is used by hackers and crackers to build [[wikipedia:Botnet|bot-nets]] for [[wikipedia:Ddos#Distributed_DoS|DDoS]] or [[wikipedia:Cryptocurrency|crypto]]-mining, but it's mostly used for [[spyware]] since it can hide more easily. | **Remote code execution. This is used by hackers and crackers to build [[wikipedia:Botnet|bot-nets]] for [[wikipedia:Ddos#Distributed_DoS|DDoS]] or [[wikipedia:Cryptocurrency|crypto]]-mining, but it's mostly used for [[spyware]] since it can hide more easily. | ||
**[[wikipedia:Sandbox_(computer_security)|Sandbox]] escape. Modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance; this introduces a higher risk of sandbox-escape, as the code can more easily find vulnerabilities to manipulate the engine. | **[[wikipedia:Sandbox_(computer_security)|Sandbox]] escape. Modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance; this introduces a higher risk of sandbox-escape, as the code can more easily find vulnerabilities to manipulate the engine. | ||
About that last point, it's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of bugs. | |||
==Incidents== | ==Incidents== | ||