The Threat

  The use of Java, JavaScript and VBScript in HTML pages is becoming ever more popular, furthermore HTML provides support for other scripting languages with the use of the <SCRIPT> tag [3]. Even though this functionality is primarily intended to enhance the capabilities of web pages and the ``surfing experience'' of the user, it is often used to attack unsuspecting hosts.

Even worse, the site or host is vulnerable even if the browser is behind the firewall and the document is a ``secure'' HTTPS-based document. JavaScript programs are executed within the security context of the page in which they were down-loaded, and should have restricted access to other resources within the browser. Some browsers running JavaScript may, in turn, have security flaws that allow the JavaScript program to monitor a user's browser more than what is considered safe or secure. In addition, it may be difficult or impossible for the browser user to determine if the program is transmitting information back to the web server. For instance, among other functions, JavaScript is able to monitor a user's browser activity by:

• Observing the URLs of visited documents as well as bookmarks.
• Observing the data filled into HTML forms (including passwords).
• Observing the values of cookies (that might hold critical information).

In Java the user may or may not be informed that an applet is being down-loaded into their browser. The real shock comes when a user inadvertently down-loads a hostile applet. There are many different things hostile applets can do to wreak havoc on your system. Among a few of the most noteworthy are the following:

• Reveal information about your machine (e.g. details about passwords or structure of your system).
• Allocate resources to the point your machine ``locks up'' (i.e. denial of service attacks).
• Delete or alter files.
• Be just plain annoying (e.g. popping countless windows).

Hostile applets have also been known to have the capability to contact machines behind firewalls, send off a listing of a user's directories, track a user's actions through the web, generate machine code, make directories readable and writable, and send off email without intention .