http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/ Giorgio Maone's answers to the Web, the Universe, and Everything Wed, 16 May 2012 21:59:02 +0000 http://wordpress.org/?v=2.2.3 http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9268 Giorgio Sat, 13 Sep 2008 07:33:27 +0000 http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9268 @<b>Mook</b>: You're obviously right: that's much challenging (as I said) because you should manage to sandbox and analyze the page behaviour, isolating exploits so that they do not bring down the firewall/proxy itself (kind of virtualization?) Also this would't add anything to protect from <em>in-browser</em> attacks such as XSS and CSRF, because (unless you add some technology which you could better deploy inside the browser itself, such as NoScript, Firekeeper, CSP or the upcoming ABE) they would be successfully carried by the proxy. My whole point (and the conclusion of the original article as I understood it) is that securing JavaScript at the semantic level is very impractical, if not impossible, and anyway a task for the browser, not for any other external device/software. @Mook:
You’re obviously right: that’s much challenging (as I said) because you should manage to sandbox and analyze the page behaviour, isolating exploits so that they do not bring down the firewall/proxy itself (kind of virtualization?)
Also this would’t add anything to protect from in-browser attacks such as XSS and CSRF, because (unless you add some technology which you could better deploy inside the browser itself, such as NoScript, Firekeeper, CSP or the upcoming ABE) they would be successfully carried by the proxy.
My whole point (and the conclusion of the original article as I understood it) is that securing JavaScript at the semantic level is very impractical, if not impossible, and anyway a task for the browser, not for any other external device/software.

]]> http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9267 Mook Sat, 13 Sep 2008 05:05:01 +0000 http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9267 But if you manage to execute the script with the browser context anyway, isn't that just like actually being in the browser? That is, you negate the security benefits by putting a different browser in front that can be exploited? Especially if it's using the same JS engine (spidermonkey / V8)... But if you manage to execute the script with the browser context anyway, isn’t that just like actually being in the browser? That is, you negate the security benefits by putting a different browser in front that can be exploited? Especially if it’s using the same JS engine (spidermonkey / V8)…

]]> http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9265 Giorgio Fri, 12 Sep 2008 21:01:37 +0000 http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9265 @<b>Benjamin</b> ROTFL, that's why I talked about sandboxed <em>execution</em>... @Benjamin
ROTFL, that’s why I talked about sandboxed execution…

]]> http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9264 Benjamin Otte Fri, 12 Sep 2008 20:47:09 +0000 http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9264 Here's a program. if it inf-loops it's evil, if it doesn't it's fine. Now we just need to solve the halting problem and then we can secure JS! Here’s a program. if it inf-loops it’s evil, if it doesn’t it’s fine. Now we just need to solve the halting problem and then we can secure JS!

]]> http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9263 Giorgio Fri, 12 Sep 2008 19:32:06 +0000 http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9263 @<b>Doron</b>: Caja's scope is quite different, IMHO, trying to provide a sandboxed environment for web applications wanting to run user-generated JavaScript "safely". @Doron:
Caja’s scope is quite different, IMHO, trying to provide a sandboxed environment for web applications wanting to run user-generated JavaScript “safely”.

]]> http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9262 Doron Fri, 12 Sep 2008 19:22:50 +0000 http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9262 Google has a project called Caja (http://code.google.com/p/google-caja/) that attempts to secure javascript in webpages by rewriting it and allowing you to configure what the JS can access. Google has a project called Caja (http://code.google.com/p/google-caja/) that attempts to secure javascript in webpages by rewriting it and allowing you to configure what the JS can access.

]]> http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9261 Giorgio Fri, 12 Sep 2008 18:17:06 +0000 http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9261 @<b>Rob</b>: I can't tell for sure, but I tend to agree with your polite aesthetic judgment. @Rob:
I can’t tell for sure, but I tend to agree with your polite aesthetic judgment.

]]> http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9260 Rob Fri, 12 Sep 2008 18:14:11 +0000 http://hackademix.net/2008/09/12/firewall-makers-vs-evil-javascript/#comment-9260 Hey, the <a href="http://www.f5.com/images/home/home004.jpg" rel="nofollow">F5 girl</a> is hot! Is she Lori or a different model? :P Hey, the F5 girl is hot!
Is she Lori or a different model? :P

]]>