JavaScript controls our lives – we use it to zoom in and out on a map, automatically schedule doctor appointments and play games online. But have we ever properly considered the security state of the scripting language? Before dismissing JavaScript security on the grounds of a client-side problem, consider the impact the exploitation of a JavaScript vulnerability on the enterprise: stealing server-side data to infecting users with malware and worse. Attackers are beginning to recognize this new playground, quickly adding JavaScript exploitation tools to their Web attack arsenal. In this paper we survey several JavaScript features and demonstrate the security implications of each. Features we zero-in on include: The ability to take screenshots, record video and pinpoint location, Efficient client-to-client communication with WebSockets, Restricting the capabilities of 3rd party plugins through Sandbox and Intensive client side business logic processing for each security implication, we also provide the necessary mitigation measures.
