New Scanner Reveals the Vulnerabilities Present on Any Website

MENDY NEWMAN on June 09, 2020 | 260

If you know anything about coding, you know that JavaScript is basically everywhere. Often referred to as JS by its fans (and as that @#$% language by its detractors), it’s what enables interactivity on the web. Of course, HTML (hypertext markup language) is the language used to structure websites. And CSS (Cascading Style Sheets) enables adding design elements to the structure. But it’s JavaScript that makes websites come alive.

JavaScript is essential to modern web development. It is used in web applications, games, server-side code, mobile applications and lots of other places, too. It powers some of the most widely-used websites and applications -- Gmail, Facebook and Twitter – ample proof of how powerful it is. As both a result of its popularity and a reason that popularity continues to grow, many JS libraries are available. These include, for example, react and JQuery, as well as frameworks, such as Angular, Node, and Vue. Both frameworks and libraries are pre-written groupings of code, enabling developers to easily implement functionality into their projects.

 

The Dark Side of JavaScript

Sounds great, right?

It's not all butterflies and unicorns; As any JS realist can affirm, the language can be a hacker’s paradise -- downright dangerous, in fact, if proper precautions aren’t taken when developing with it. One of the most common threats out there today is Cross-Site Scripting (XSS), which allows attackers to inject malicious code into otherwise benign JavaScript running on websites. Typically, even the most advanced browsers cannot detect whether the site being browsed contains an XSS vulnerability. This, of course, leaves the browser, as well as the endpoint on which it resides, vulnerable to a host of threats.

Every few years or so, OWASP, the Open Web Application Security Project, publishes a roundup of the Top 10 Web Application Security Risks. XSS is a perennial, evergreen entry. According to the foundation, “XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” Attackers also use XSS to collect confidential information, login cookies and credentials. But XSS is just one of the threats floating around the web. Today, over 40% of breaches are initiated via web browsers, making browsing a top threat vector for enterprises.

Here at Ericom, we’ve developed Ericom Shield, a remote browser isolation solution that enables users to surf the web freely, without concern that an XSS attack or other web-based threat will penetrate their endpoint, and from there to a corporate network.

But here’s the thing: It is hard to grasp just how vulnerable even the most reliable websites are to being infected with cross-site scripting and other JavaScript-enabled malware. That is, just how much vulnerable JavaScript really is out there on the sites that users visit not only every day, but multiple times each hour.

To help you quantify the level of risk out there, Ericom has developed a vulnerability scanner that is now available to download for free from the Chrome webstore. It enables security professionals to quickly analyze the amount of JavaScript and other elements are running on any webpage, in order to discover and assess potential vulnerabilities. The analyzer doesn't change or alter the page in any way, but it does enable analysts to understand the extent of potential threats. It is also a great way to educate budget-holders as to how effective web-facing security like remote browser isolation is.

Download it now to see just how vulnerable the websites your users regularly visit are. 

 

The Dangers of The Web 

 

The web is riddled with threats and at each time a user browses, they may expose your organization to a host of risks. Each time they click a link, open an attachment or land on a website, they might be allowing attackers to gain a foothold into the organization—especially if they are browsing unknown, uncatalogued websites. Traditional tools like firewalls cannot stop unknown web-based threats especially without over-blocking to the point that it interferes with users’ work, and buries helpdesks in website access exception requests. 

 

Remote Browser Isolation - RBI

To effectively prevent web-based threats like XSS, no matter how much JavaScript is on the websites your users browse, consider remote browser isolation. When a user browses to a site, all code—good and bad—is isolated in a remote virtual browser that is destroyed at the end of the session. On their endpoint browser, the user interacts with a clean, threat-free media stream, an experience that is indistinguishable from “regular” browsing – only secure. Files and attachments that can be downloaded – another common delivery mechanism for malware – are isolated and sanitized as well, before being sent to the endpoint. And URLs from emails are opened in read-only mode to prevent users from entering credentials or other confidential information.

Web-based threats aren't vanishing anytime soon. Get an accurate read on the dangers you face with our vulnerability scanner. And choose smart powerful tools like Ericom Shield to protect your endpoints and networks from the dangers it reveals.

 

Author | 128 Blog Posts

Mendy Newman

Mendy is the Head of Solution Management at Ericom for all its products. Mendy's team focuses on delivering implementation and architecture solutions to our customers worldwide. | Ericom Software

Recommended Articles