The common name for the language used primarily for scripting in web browsers. It is not related to the Java language. Standardized as ECMAScript, its dialects/implementations include JavaScript and JScript.
Questions tagged [javascript]
1306 questions
237
votes
11 answers
Why is Math.random() not designed to be cryptographically secure?
The JavaScript Math.random() function is designed to return a single IEEE floating point value n such that 0 ≤ n < 1. It is (or at least should be) widely known that the output is not cryptographically secure. Most modern implementations use the…
forest
- 64,616
- 20
- 206
- 257
159
votes
4 answers
Why is the same origin policy so important?
I can't really fully understand what same origin domain means. I know it means that when getting a resource from another domain (say a JS file) it will run from the context of the domain that serves it (like Google Analytics code), which means it…
YSY
- 2,229
- 4
- 20
- 16
131
votes
3 answers
This JavaScript code is injected on my hotel Wi-Fi: should I be worried?
While connected to my hotel Wi-Fi, visiting the URL http://www.google-analytics.com/ga.js results in the following content being served:
var ga_exists;
if(!ga_exists)
{
ga_exists = 1;
var is_responsive = false;
var use_keywords =…
foodiddy
- 1,051
- 2
- 8
- 4
88
votes
5 answers
Can "Accept cookie" button in a website be malicious?
I don't remember when this "accept/cancel cookie" button started to be used in websites. Why do they insist on getting users to click on this button?
Can it do any harm to user's PC or to collect any private and sensitive data? Their reason for…
0_o
- 1,142
- 1
- 9
- 19
83
votes
10 answers
Why is JavaScript "safe" to run in the browser?
JavaScript has certain limitations such as preventing reading and writing to disk and not allowing access to other browser windows or domains. But is that all that's needed to prevent malicious code from running?
JavaScript is pretty powerful, and…
PBeezy
- 1,731
- 2
- 10
- 11
71
votes
3 answers
Securing a JavaScript Single Page App with RESTful backend
I'm currently in the process of building a JavaScript SPA and have been researching how to secure it. There is currently as RESTful API that is being completely interacted with through AJAX. We also have mobile clients that interact with this API,…
Jon Wingfield
- 821
- 1
- 7
- 5
71
votes
1 answer
Tell browser my site has no scripts
I have created a Tor hidden service site which has absolutely no JavaScript or other types of client side scripts. The page is HTML, CSS, images, and some JSP for handling user input.
I encourage users to use NoScript, however many times users do…
k1308517
- 1,272
- 14
- 27
60
votes
6 answers
Anonymous surveys that aren't so anonymous
In the past I have completed an 'anonymous' survey at work only to find that my employer was able to garner a lot of not-anonymous information from this survey. Location, name of manager, etc. None of this information was provided in the survey. …
iShaymus
- 673
- 5
- 5
57
votes
3 answers
eBay web site tries to connect to wss://localhost:xxxxx - is this legit or they have some Malware JS running?
In helping a corporate user log on to eBay, I noticed that when on the login page, a stream of errors were coming up in the Firefox JS Console about not being able to connect to wss://localhost. This is a bit concerning, obviously. Why would a web…
ETL
- 631
- 5
- 8
53
votes
6 answers
Does injecting querystring values directly into HTML pose a security risk?
Someone reported a bug on my site that I don't really consider an issue. My site has an URL akin to this:
www.site.com/ajax/ads.asp?callback=[text injection]
So filetype is application/json, and I don't see how that can affect security of site.
His…
Daniel
- 1,422
- 3
- 21
- 32
49
votes
2 answers
Magic hash attack in JavaScript
In PHP a magic hash attack happens when loose type comparisons cause completely different values to be evaluated as equal, causing a password "match" without actually knowing the password. Here is an example:
drewiepooey
- 599
- 1
- 4
- 7
47
votes
4 answers
How do you know your server has been compromised?
I recently helped a client who had their server hacked. The hackers added some PHP code into the header of the homepage redirecting the user to a porn website — but only if they came from Google. This made it slightly harder for the client to spot.…
Boz
- 595
- 1
- 4
- 8
47
votes
3 answers
I found obfuscated code in a comment on my blog. What should I do?
Today I was checking comments on my blog and I found a strange comment, here is the exact text