I just read an article on computer hacking. I was recalling my tough days with the hackers. In my last Job, I had a bad time with them. Not only once, but they troubled me more than twice.

The article which I read was on the Hackers new tool - JavaScript. Who knew you could do such wonderful things with JavaScript? Seriously, JavaScript has been around for years; it’s a component of the backbone of the modern Internet. Now, suddenly, it’s the new playground for criminal hackers. Quicktime and Adobe Reader–are the two big application which are seen with some flaws which are executing carefully designed and potentially dangerous JavaScript on your computer.

Adobe is saying thats the version 8.0 is more stable and capable of handling these kind of attacks. Now, in version 8, should you stumble upon a maliciously coded PDF URL you’ll see an illegal operation dialog box and no execution of that extra code.

Why the urgency? Because, according to this site, you don’t even need to access a site on the Internet to be attacked; the Adobe Reader plug-in includes a test PDF file, and a criminal can use this file sitting on your hard drive to append a malicious string of JavaScript. And new variations on this attack are being discovered by researchers every day. If you read this article that ran last August on the dangers of AJAX, like researcher Billy Hoffman of SPI Dynamics, Di Paola and Fedon starting playing around with all that could be done with HttpRequest–one of the core code extensions used in AJAX. Di Paola and Fedon quickly advanced the idea that, rather than leveraging flaws on the Web sites themselves, with AJAX one could instead leverage flaws within the Internet browser or, in this case, in the browser’s plug-ins.

In XSS Prototype Hijacking attacks, the attacker uses an extensible clone of a native XMLHttpRequest. The example given is one of an AJAX-enabled bank transaction. The user sees a dialog box that a bank transfer is about to happen, and the bank further notifies the customer via SMS for every bank transfer accomplished by an authenticated user. But if the AJAX here is injected with a special JavaScript, both the request to transfer and receipt of the transaction will be forwarded to the attacker, not the legitimate user. Di Paola points out “the attack is independent of any authentication system…AJAX-based applications could be subverted by ignoring the application specific implementations or communications modes.”

In HTTP Request Splitting attacks, the attacker takes advantage of flaws within asynchroneous requests, injecting custom headers whenever the Http request is built. In their example, the researchers used IE’s ActiveX object Microsoft.XMLHTTP, although the researchers admit that other browsers have similar vulnerabilities that could also be exploited. Basically, whenever the AJAX Http request is created, a second request is bundled as well. Since the browser will render only the first request, the second request is cached so that when the second legitimate request is sent, the cached page is presented instead.

All of these methods can be used by phishers–the first to bypass authentication systems, the second to serve up a cached bogus blanking page instead of a real one–so I’m betting we haven’t heard the end of these attacks. And Billy Hoffman, who spoke at length about AJAX flaws at Black Hat Las Vegas last August, will be at this year’s RSA in San Francisco next month. I suspect he’ll have more coding magic up his sleeve. In the meantime, be careful what you click and be extra suspicious of “extra” content following a PDF file, or any other long URL.

hackers, java script