Trends and issues with JavaScript

Trends and issues with JavaScript

In this discussion about Javascript, we will look into its meaning, some of the current trends therein and security issues/ vulnerabilities. But what is Javascript and how did it become so popular.  JavaScript in its true sense is a high-level interpreted programming language and is used by approximately 88.1% of all websites, which has been in use since the early 90s. In a post by Bouwkamp(2016), she claimed that JavaScript is currently the world’s 3rd most popular programming language, Figure 1.0. She even went on further to state “another one of the world’s most popular and powerful programming languages, and is used to spice up web pages by making them interactive.”

Figure 1.0 Languages ranked by programming jobs(Bouwkamp, 2016)

Programming-Languages-for-2016_graph.jpg

Javascript like any other web technology has gone through numerous evolutions and modifications, so much so that Developers, constantly are able to explore new avenues and possibilities almost every day as we seek to heighten the user’s experience and interactions online. This also is affected by the emergence of smartphones and other smart technologies. JavaScript is used in conjunction with HTML to add effects to web pages in which it interacts with the Document Object Model (DOM) to display messages windows, validate forms and widgets and even to the creation of games. This programming language is built into all major web browsers including IE, Chrome, Opera, Firefox and Safari.

Trends

Some of the trends in Javascript include but are not limited to: 

  • React.js
  • Data-Driven Documents (D3.js)
  • Angular JS
  • JQuery
  • Ember JS

React.js

This is a JavaScript library used for building user interfaces and was created by engineers at Facebook. “React is a JavaScript library for creating user interfaces by Facebook and Instagram. Many people choose to think of React as the V in MVC. We built React to solve one problem: building large applications with data that changes over time.” (Github, n.d)

React allows one to express how your application will look at any given point in time, it will also automatically manage user interface updates as the dependent data changes. This library uses what is known as a virtual DOM. When changes are made the virtual DOM efficiently re-renders the DOM.

This library is currently being used by organizations such as Netflix, Bleacher Report, SeatGeek, and HelloSign

Vulnerabilities

“One of React’s features is that it handles XSS escapes by default.”(Lolware, 2015). What this means is that developers using the ReactJS have to place their faith in the hands of its’ library.

Angular JS

AngularJS is a structural framework for dynamic web applications, unlike React.js however Angular operates within the browser, this makes it an ideal partner for most if not all server technology.  AngularJS “attempts to minimize the impedance mismatch between document centric HTML and what an application needs by creating new HTML constructs. Angular teaches the browser new syntax through a construct we call directives.”(AngularJS, n.d).

AngularJS extends HTML with new attributes and is ideal for Single Page Applications (SPAs). In a post by Lau(2013), declared that “Angular is the only framework that doesn’t make MVC seem like putting lipstick on a pig.”

Vulnerabilities

In a post by Donovan(2015), these are vulnerabilities within AngularJS:

  • Injection
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)

JavaScript Security Vulnerabilities

Open Web Application Security Project(OWASP) two most common JavaScript security vulnerabilities are Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). XXS vulnerabilities allow hackers to manipulate websites to return malicious scripts to its’ visitors. These attacks occur in one of two ways; when the browser or the application developer fails to implement the same-origin policy and other correct development techniques. Failure to implement these preventative measures can result in account tampering, malware spreading, data theft or remote access to the user’s browser. Even though Cross-Site Scripting is enabled by vulnerable pages in a web app, the victims are the application’s users and not the web app itself. Figure 1.1 and 1.2 shows two examples of XSS; Reflective and Persistent respectively.

Concepts of Cross-Site Scripting

  • XSS is a web-based attack performed on vulnerable web applications.
  • In XSS attacks, the victim is the user and not the application.
  • In XSS attacks, malicious content is delivered to users using JavaScript.(Veracode, n.d)

Figure 1.1 Reflective XSS

xss-example-1.gif

Figure 1.2 Reflective XSS

xss-example-2.gif

The second vulnerability is Cross-Site Request Forgery (CSRF) and occurs when the malicious website sends a request to a web app stating that a user is already authenticated. Thus allowing the attacker to access the web app functionalities as if they were the intended user. These attacks target mostly web apps, namely; social media, in-browser email clients, online banking and web interfaces for network devices.

Concepts of CSRF

  • Malicious requests are sent from a site that a user visits to another site that the attacker believes the victim is validated against.
  • The malicious requests are routed to the target site via the victim’s browser, which is authenticated against the target site.
  • The vulnerability lies in the affected web application, not the victim’s browser or the site hosting the CSRF.(Veracode, n.d)

References:

Bouwkamp, K. (2016) The 9 Most In-Demand Programming Languages of 2016, Available at: http://www.codingdojo.com/blog/9-most-in-demand-programming-languages-of-2016/ (Accessed: June 13, 2016).

Donovan, G. (2015) Top 10 Security Risks for AngularJS Applications – Kevin Hakanson, Available at: http://techjaw.com/2015/03/05/top-10-security-risks-for-angularjs-applications-kevin-hakanson/ (Accessed: June 13, 2016).

Github (n.d) Why React?, Available at: https://facebook.github.io/react/docs/why-react.html (Accessed: June 13, 2016).

Lau, D. (2013) 10 Reasons Why You Should Use AngularJS, Available at: https://www.sitepoint.com/10-reasons-use-angularjs/ (Accessed: June 13, 2016).

Lolware (2015) Testing ReactJS for XSS vulnerabilities, Available at: https://lolware.net/2015/08/19/reactjs-xss-testing.html (Accessed: June 13, 2016).

Veracode (n.d) REQUEST A QUOTESEE A DEMO Cross-Site Request Forgery Guide: Learn All About CSRF Attacks and CSRF Protection, Available at: http://www.veracode.com/security/csrf (Accessed: June 13, 2016).

Veracode (n.d) REQUEST A QUOTESEE A DEMO Cross-Site Scripting (XSS) Tutorial: Learn About XSS Vulnerabilities, Injections and How to Prevent Attacks, Available at: http://www.veracode.com/security/xss (Accessed: June 13, 2016).

Leave a Reply

Your email address will not be published. Required fields are marked *

Groope Multimedia © 2019, All rights reserved