JavaScript

JavaScript is a language for computer programming that is object oriented and is used facilitates interaction within web browsers. JavaScript is mainly employed in browsers to provide client side functions in most web applications. With recent developments of an open web operating system, developers have been given a chance to create services including maps and advertisements. Services and applications can take advantage JavaScript utility foundation libraries. These libraries give utility for string, object, and array processing, Accessing web operating system services, creating error and class objects, Asynchronous processing and many other programming functions. JavaScript help in powering synergy connectors, furthermore, services of JavaScript strengthens web operating system enabling background processing and adds new features like; access to filesystems, low-level networking, and processing of binary data to the web operating system technology stack. The services provided by JavaScript are essential because they enable; faster performance offloaded processing and shared processing (Oracle.com, 2016).

While JavaScript provides a platform for useful functions, most of these web applications may use the JavaScript codes from untrusted third party sources. These untrusted JavaScript sources may expose Application Program Interface (API) to corrupt codes that mediate access to security related resources that are quite critical. The API is a critical tool that has set of instructions or routines and protocol that are used in building software and other web applications.

JavaScript continues to be the single most dangerous threat to system security. This paper provides a technical analysis of JavaScript services, security and threats to give a conclusive evidence on whether JavaScript is the most dangerous security system threat.

JavaScript for Services

The Node.js is a runtime environment incorporated in Operating system of websites allowing users to come up with both applications of web operating system and services in JavaScript. Developers can program services utilising JavaScript libraries. The runtime environment is an input-output framework for JavaScript engine aimed at implementing measurable network programs such as streaming servers and web servers. Node apps do not need a browser, they operate on their own and are more linked to server-side JavaScript. Node.js utilises event loops rather than threads, allowing it to link to several concurrent connections (Openwebosproject.org, 2016). Node.js exploits the opportunity that servers spend more time waiting for input-output operations which are slower than operations in memory. Each input-output operation within Node.js is asynchronous, which enables the server to proceed to process incoming requests as input-output continues in the background. The event-based model of JavaScript makes Node.js very quick and eases scaling of real-time applications. JavaScript is well suited to programs that are event-based due to its closures and anonymous functions making identifying inline callbacks simpler.

JavaScript Security

The technology of JavaScript security includes a set of tools, APIs, and implementations of majorly used mechanisms, protocols, and security algorithms. JavaScript security technology provides developers with a well-versed security system utilized in writing applications. Moreover, users and administrators are given with some tools to safely manage applications. Java security platform is a standards-based, extensible security architecture, dynamic and interoperable. Security features such as cryptography, public key infrastructure, authorization, and authentication are built in. The security model is linked with a customisable framework in which JavaScript software programs can operate safely without posing the risk to users and systems. Several browsers allow users to download various JavaScript programs with a browser page and use them within the browser. These programs enable interaction with the browser user and aid in transmitting data between the browser and the Internet servers that provide the page. Downloading and executing programs written by strange parties is a dangerous activity. A program availed in the web could work as marketed (Powell and Schneider McGraw-Hill, 2004). However, it may also be the route to installing spyware, or a virus and even worse activities like deleting and stealing data.

The decision by users of taking the risk of running downloaded programs is itself explicit; one has to download the program and exhibit intentions to run the program through confirmation in a dialogue box. Because it would be annoying to have to give a confirmation every time a user wants to run JavaScript on a new web page, the browser executes security frameworks programme to lower spyware risk that unknown codes pose to users. A security policy defines a combination of restrictions dictating what functions scripts can perform and under what conditions. For example, it is reasonable to expect web browsers’ security framework to prevent JavaScript on web pages downloaded from the web from accessing files on a user’s computer. If there were no such security programs any web page visited by a user could either destroy or steal files.

JavaScript Security Threats

JavaScript has inglorious reputation history of vital security holes. These JavaScript vulnerabilities vary from considerably harmless oversights to atrocious holes that grant access to local cookies, files, or network capabilities. JavaScript security problems are not just limited to execution errors. There are very many methods through which scripts can interfere with user’s execution capability without infringing any security policies (Grégoire, 2009). These ways include; Bombarding browsers, Memory Hogs, Infinite loops, Deceptive practices, and using the functionality of a browser.

The bombarding browsers-The quantity of resources that is granted to a browser on the user’s machine is majorly a factor of the operating system. A great number of operating systems continues to assign CPU memory and cycles beyond what may be required by the application. It is very easy to program JavaScript to crash a browser both by accident and by design. The content of several sections of a JavaScript is written to exploit some of the major challenges browsers face with securing access to a user’s operating system that functions in a normal way. It is undeniably easy to program a JavaScript the will not only crash the browser but also the operating system of a user.

Infinite Loops- these are endless instruction sequences in a computer program. Loops either have no condition for their termination or are have termination conditions that cannot be met or start over. Infinite loops can cause the entire operating system to be unresponsive due to memory failure caused by the finite nature of these loops (Grégoire, 2009). Modern browsers can catch and stop the execution of predictable loops but not complex loops. Most infinite loops consume cycles and all processor time that is available doing the same task repetitively.

Memory Hogs-these types of software bugs eat up all the memory that is available. Some types of programme memory hogs, when invoked, result into stack overflow if not a panic condition. JavaScript programs may even contain self-replicating codes to deplete browser memory.

Deceptive Practices- programming tactics that are deceiving are utilised to annoy or trick users. The most common approach involves creating a small window that is minimised and hidden in the background by refocusing on the original window that the user is focused on. The second window then sets a timer that generates pop-up ads on an interval basis. The secondary window pops equipped with event handlers that will cause a blur immediately it receives focus from the user it may also contain an unload handler to generate it in the unexpected event that the user closes the window. In many cases, windows will pop up to look like operating system alerts. When a user clicks on these pop-up windows they depict all types of behaviours from initiating hostile downloads to stealing passwords. These windows are technically created and are almost indistinguishable from the real windows. Major security threats also arise from developers with dubious skills that create windows that cannot be shut down or those that are positioned off-screen such that they cannot be noticed.

Making use of Browser’s functionality- these are scripts that write elements referencing itself, therefore, generating an infinite recursion of files, this stops the user from any action because the browser is occupied with fetching pages to showcase user interface activities. Alternatively, one can open up an unlimited sequence of dialogue boxes or endlessly call window open to a point where the resources of the user are depleted.

Conclusion

The benefits of JavaScript are far much greater than imposed security threats. Every milestone technological advancement is prone to hitches, especially in computers. Cyber-crime cases are on the rise imposing threats to several computer programs; JavaScript is not an exception to these threats and malicious programs. It is crucial that solutions are sought to these problems arising from applications used in the system. Several programme have come up with ways to at least reduce exposure risk rates if not to eliminate specific risks. JavaScript is at the epicente of web linking and functionality. Therefore, discontinued use is not an option for the majority of users. Furthermore, several programs have been developed to counter the defects of JavaScript.

Therefore, efforts to make it more secure should be the only option for developers even as the future of computer programming looks threatened by cyber security. It is, therefore, important that users understand that JavaScript is not the only system threat and embrace it fully while programme seek solutions and in any case, all other computer programs are susceptible to penetration.

References
Grégoire, J. (2009). JavaScript and Visual Basic Script Threats: Different scripting languages for different malicious purposes. 1st ed. [eBook] Available at: http://www.eicar.org/files/tutorial_js_vbs_threats.pdf [Accessed 30 Jun. 2016]. Oracle.com. (n.d.). Java SE Security. [Online] Available at: http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html [Accessed 30 Jun. 2016].
Openwebosproject.org. (n.d.). Open web OS: Developing JavaScript Services. [Online] Available at:http://www.openwebosproject.org/docs/developer_guide/javascript_services/#.V3WXV49OLIU [Accessed 30 Jun. 2016].
Powell, T. and Schneider McGraw-Hill, F. (2004). JavaScript Security. [Online] Devarticles.com. Available at: http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/ [Accessed 30 Jun. 2016].