JavaScript security leaks?

From: Charles Sullivan (cwsulliv_at_triad.rr.com)
Date: 02/25/05


Date: Fri, 25 Feb 2005 17:55:41 GMT

When browsing a website with JavaScript enabled in the
browser (Firefox, Opera), what information about my
system can be returned to the website by JavaScript?

I've seen the scam sites which display the contents of the
current directory and purport that they are being returned
to the website. But I've been told they are just displayed
locally and aren't really returned to the website.

However this site _looks_ legitimate:
  http://www.auditmypc.com

When the "What's my IP" menu item is selected it displays
the internal network IP of my PC, which is behind a router.
(It isn't displayed if I disable JavaScript in the browser.)

If the internal IP is in fact actually returned to the
website, what other information might JavaScript reveal?

(I'm running PCs under Red Hat 9, Fedora Core 2, and
Windows XP in a network behind a Linksys WRT54G router.
Firewalls are configured for the router and on each
individual PC.)

Regards,
Charles Sullivan

 



Relevant Pages

  • Re: Firefox Alternative
    ... If anyone believes in the myth that Java and _javascript_ ... When you aim your browser at the Uverse router, ... NECESSITY if you do not want a website to steal your ...
    (Ubuntu)
  • RE: Spis products worth a try? Or any suggestions for developers tool?
    ... By far it has the best JavaScript analysis engine ... SPI does choke up when testing a JavaScript intensive website, ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on ...
    (Pen-Test)
  • RE: Spis products worth a try? Or any suggestions for developers tool?
    ... By far it has the best JavaScript analysis engine and is lightning fast. ... SPI does choke up when testing a JavaScript intensive website, ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on ...
    (Pen-Test)
  • Re: Problem with SSL
    ... When I use the fully qualified URL for the index.htm page, the redirect to ... http://www.mysite.com/secure/index.asp then the client side javascript works ... >> of the website root directory. ...
    (microsoft.public.inetserver.iis.security)
  • Re: DOS ATTACK
    ... >I have a friend that has a DOS Attack going on against their website. ... Add some Javascript to your page to break out of the frame. ...
    (Incidents)