May 25, 2011

Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser.

It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

The NoScript extension makes it easy to place or remove these restrictions on a site-by-site basis, but a novice user may need some practice to get the hang of doing this smoothly. For instance, it’s not uncommon when you’re shopping online to come across a site that won’t let you submit data without fully allowing JavaScript. Then, when you enable scripting so that you can submit your address and payment information, the page often will reload and clear all of the form data you’ve already supplied, forcing you to start over. Also, many sites host content from multiple third-party sites, and users who prefer to selectively enable scripts may find it challenging to discover which scripts need to be enabled for the site to work properly.

Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted.

To restrict scripting in Chrome, click the wrench icon in the upper right corner of the browser. Under “Options,” select “Under the Hood.” Click the “Content Settings” button at the top. Under JavaScript, select the button: “Do not allow any site to run JavaScript”.

Internet Explorer 9, which Microsoft released earlier this year, is by far the fastest and most advanced version of IE (it rivals Chrome in the speed with which it loads Web pages). IE9 also includes new security features, such as enhanced memory protection and Microsoft’s SmartScreen Application Reputation engine, designed to alert users when they try to download files from locations on the Web with an unknown or dodgy history.

But I found it somewhat difficult to believe that this new version of IE still doesn’t give the user much choice in handling JavaScript. In IE9, you can select among JavaScript on, off, or prompting you to load JavaScript. Turning JavaScript off isn’t much of an option, but leaving it completely open is unsafe. Choosing the “Prompt” option does nothing but serve incessant pop-up prompts to allow or disallow scripts (see the video below).

I like Chrome’s simplicity and speed, but I prefer Firefox because it offers the most options for dealing with JavaScript. But, whichever browser you use, be aware that running JavaScript can be the point of entry for intrusive and infectious malware. Use caution before deciding to allow it on any site that you visit.


38 thoughts on “Blocking JavaScript in the Browser

  1. Dan Herrup

    NotScript is a chrome extension that mimics the functionality of firefox NoScript. I’ve been using it for a few days and I’m impressed. Like you I’ve always preferred NoScript, but chrome is just so much faster and cleaner.

    1. Bill Horvath II

      I’ve been using NotScripts for a while now on the occasions I use Chrome. It seems to work well, but I’ve been experiencing issues lately (that I think are Chrome-related, though they could be NotScripts) where pages will download, but simply won’t render.

    2. Josh

      I also migrated to Chrome when NotScript came out. The lack of a NoScript-type extension for Chrome was the only thing that kept me from using it for a while.

      NotScript gets the job done, but it does have some limitations when compared to NoScript. For example:

      * There’s no option to not automatically reload affected pages when you choose to allow a particular script. For example, if you have 20 tabs open and you allow a script that affects 5 of those tabs then all 5 reload. That can be annoying on slower connections.

      * NotScript will not show some scripts until some scripts are allowed. For example, you may go to site example.com that is embedding content from a.com, b.com, and c.com. NotScript does not seem to recognize that a.com, b.com, and c.com exist until example.com is allowed. This results in having to sometimes reload a page 3 or 4 times to see the content that you want.

      I suspect the first point is just a feature. I think the second point is probably related to the way that NotScript has to use HTML5 storage caching to work around the way Chrome handles extensions, but I’m not 100% sure of that.

      I personally will not use IE 9 or any other browser that does not have some sort of NoScript / NotScript functionality available. Browsing with javascript turned on is like having unprotected sex. It may be easy and fun, but it won’t be long before you’ll catch something.

  2. Blubb

    NoAds is an extension for Opera browser which has the same functions as NoScript in FireFox.

  3. Mike

    I would also recommend RequestPolicy addon for Firefox. From its website: “[…] giving you control over when cross-site requests are allowed by webpages you visit.” RequestPolicy operates in the same fashion as NoScript in that it allows you to selectively pick which sites have temporary or permanent permissions for cross site access. I find that the use of NoScript plus RequestPolicy gives me quite a bit of security. Also, I do throw in AdBlock Plus for good measure.

  4. Grot

    @krebs
    What do you think of the options available in a fresh default Opera installation?

  5. Bill Lee

    I find it incongruous that this blog describes the intrusive use of JavaScript for nefarious use only to find that the page itself uses many scripts from many different sites for who-knows what purpose. E.g., google-analytics which provides the site owner with information about who/where visited the site but also provides Google with one more peephole into the privacy of the viewer.

    Is this a question of doing what I say rather than what I do?

    1. BrianKrebs Post author

      @Bill – Interesting perspective. The point of this post was to say that JavaScript is ubiquitous but also can be nasty. So because my site uses JavaScript, I’m being incongruous by recommending that people selectively allow scripting?

      1. Bill Lee

        While I applaud your suggestion that users avail themselves of add-ons to mange the use of JavaScript (which I do!), I find it unsettling that your own blog would be a prime example of why they should.

        The incongruity is evident in your own words:

        “Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors”

        followed by

        “my site uses JavaScript” to a myriad of 3rd-party sites, most of which are advertising and/or tracking sites.

        If you are as concerned about privacy and security as I believe you are, your own site should not be an example of how privacy and security can be abused.

        1. BrianKrebs Post author

          My site is abusing your security and threatening your privacy? Really?

          This blog includes code that keeps track of how often people visit. Nearly every site on the Internet maintains similar code. I’ve been up front about the fact that my blog is supported in large part by advertising.

          I’ve also not spent a lot of time writing about privacy concerns because I find many claims about privacy invasion on the web to be vague and full of FUD. When I do write about privacy issues, it is generally in the context of encouraging people not to give away personal information that they don’t want everyone else to know or find out.

          Can you please explain what it is that you feel is so potentially dangerous about reading the content on this site?

        2. Josh

          Bill,

          I’m not sure what’s wrong with tracking or advertising. Sure, it can be taken too far, but this blog doesn’t do that.

          Right now I’m reading this in Chrome with NotScript enabled. I have Kreb’s, addthis, youtube, wordpress, and google-analytics allowed. Those four 3rd party sites were already enabled for other reasons.

          I have topsy, quantserv, and fmpub blocked at the moment. I don’t have any reason to allow them so I’m not going to go out of my way to whitelist them.

          That’s the whole purpose of add-ons like NoScript. If you don’t like the third party content then just block it. Blacklist it by default then just allow what you need and you’ll never have to worry about it. I doubt the author has a problem with you doing it on his Web site since he’s the one promoting the add on.

        3. David Ward

          Bill,
          You can’t possibly be really believing what your saying… An even if you do… Your a savy user and undoubtedly using the very security measures that Krebs is talking about. If so the site will work fine for you with the exception of the Youtube video… Which you could never have seen anyway with your rigid personal security policy. So I don’t see the downside here…

          Kreb’s touts a security mechanism, “yes” that would create a centric in which even the trust relationship with his own site would be subject to scrutiny. An you’d have to say “Allow Scripting from krebsonsecurity.com” but that makes me trust him more not less. If my Bank tells me to check for SSL, “do I trust them less?”, No. Even if they acknowledge there’ve been malicious certs issued lately, an you should check the certs carefully or update your browser. I appreciate every layer to the onion of security an praise to the man who advocates a policy that would inherently break portions of his site; because he trusts you to trust him enough to re-enable scripting for his site… or if not… he doesn’t hinder you from reading his articles.

  6. xAdmin

    I much prefer a blocking hosts file that works at the Operating System level instead of an application specific function. To me, noscript is an administrative nightmare and blocks a lot of useful functionality. Well, that and on a personal preference, no other browser matches the functionality of IE 8’s Favorites Center or has a convenient command line function (to use in a batch file) to clear history, cookies, temporary Internet files, etc. Also, I’m a huge keyboard shortcut user and have found no other browser matches keyboard shortcuts as intuitively as IE. I also don’t care for the User Interface of many other browsers, even IE9! But, I digress, getting off topic.

    I’ve used Internet Explorer as my only browser for almost 15 years now and have yet to get any type of malware infection. So, while blocking JavaScript has a useful function and could be considered another layer of security, there are many other more useful measures one can take that keep malware at bay without losing so much functionality and increasing administration overhead. In the end, it’s always a security versus usability trade off.

  7. Tony

    I’ve used the Verify Redirect add-on for Firefox and like it very much. I’ve been trying out RequestPolicy as a possible replacement for Verify Redirect (at the recommendation of forum participants, here). Its interface and options are similar to NoScript.

    I just tried the NotScript add-on for Chrome. This, too, like others above, was keeping me from using Chrome. I like the NotScript interface — cleaner than NoScript. Now, I just need to locate a cross-site blocker for Chrome, similar to Verify Redirect. 🙂

  8. Bill

    I too, as Brian notes above, have long been frustrated that when I enable Java via NoScript, the page reloads and usually info that I’ve filled in vanishes, forcing me to fill in the forms all over again. I lately installed Lazarus, a form recovery add-on for Firefox, which has worked the few times I’ve used it. It’s in Beta for Chrome and Safari. You can install it via add-ons in Firefox, and read about it here: http://lazarus.interclue.com/

  9. Altcollector

    I think the real issue is commercial providers forgetting what their core business is. I can live with advertisement support work like this blog, what I have a hard time with is when the prime business is selling (movie tickets come to mind) and instead of focusing on that core business most of the script and content is focused on cross-selling (including my information) to the highest bidder, no matter how far removed from the core business. When I count more then 10 script providers that have nothing to do with the transaction engine or the brand owner and enabling any of these leeches is a prerequisite of doing business, I am not coming back.

    Would having so many cross links be a reason to blacklist these offenders, as having inherent security risks and clearly not the customer in mind? I do think so.

  10. John

    I wanted to use NoScript but found that every single site I visit uses JavaScript for something important. I was spending my whole day either clicking “enable on this page” or trying to decide if the current page was working or not.

    Eventually I gave up and uninstalled it.

    I need another option. Something that detects good from bad. Something like AddBlocker’s whitelist.

    1. David Ward

      Could always try a DNS solution. Such As OpenDNS with an elevated security setting. They maintain a list, blacklist, of site to block. You browser can’t even resolve the IP for the Domain. An you can block DNS you don’t want your users going too. I’d imagine they have an inverse model where you could block everything except what you whitelist. but if you blacklisted doubleclick and a handfull of ad companies I’d say you break 90% of javaxcript ad engines which refer too those domains.

  11. AlphaCentauri

    I don’t get too worried about advertisers tracking me, since I usually am on a dynamic IP and since I have my browser set to refuse third party cookies. If advertisers stopped with the animated display ads, I’d allow javascript for a lot more of them. (Surely there is an online media company willing to pledge to not use animation in hopes people will allow them to use javascript to load their ads?)

    I have no objection to them displaying ads that pay for the content I get for free. But some of the flashing ads look like they’re capable of inducing seizures in susceptible people. Thank you, Noscript, for suppressing that crap.

    1. xAdmin

      I rarely if ever see ads when using a blocking hosts file (ex. MVPS). =)

      Although it blocks ads, its primary function is blocking (blacklisting) known bad sites. I swear it alone has kept malware from getting to my system while browsing the far reaches of the Internet. Also, as I said earlier, it works regardless of what application you use to access the Internet as it works at the OS level.

  12. PC.Tech

    -Very- timely Brian – for all of us…

    Fake VirusTotal site serves malware
    http://www.net-security.org/malware_news.php?id=1730
    24.05.2011 – “VirusTotal – the popular free file checking website – has been spoofed by malware bakerys, warns Kaspersky Lab*. A simple -visit- to the site triggers the download of a worm via a java applet embedded in the code… It’s aim is to recruit the computer it infected into a botnet that would ultimately be used to perform DDoS attacks, and to communicate to the C&C information about the system (hostname, type and version of the OS, etc.)… malware bakerys have lately begun combining the use of malicious JavaScript code and social engineering techniques, since it allows them to infect computers regardless of the browser or operating system used.”
    * http://www.securelist.com/en/blog/208188086/Fake_virustotal_website_propagated_java_worm
    “… the website looks the same way as the original**. However, hidden in the source the parameters needed to infect the system through a java applet through which discharge completely silent malware…”
    ** http://www.securelist.com/en/images/pictures/klblog/208188087.png
    (Screenshot at the URL above.)
    .

    1. Michael

      Useless report – they don’t provide any information regarding the URL of the fake site, so what good does this do me? I don’t have a way of blocking it.

  13. Minot Isok

    Brian is showing you how to take control of your browsing. He’s showing you a choice.

    A text only, static webpage can only offer only so much info. As web development tools improve then maybe javascript will become a thing of the past.

    For my choice I use a fully tweaked/locked down NoScript and AdBlock Plus with filters in Firefox 4. That is my choice on how I interact with the web.

    1. David Ward

      I’ll chip in.
      I use NoScript Firefox 4, with OpenDNS, and a hosts file I just inherited from CCleaner or one of those. Oh an FlashBlock & Certificate Patrol (As recommended on SecurityNow).

      1. BrianKrebs Post author

        David, I might be mistaken, but I believe having Flashblock and NoScript on the same browser is unnecessary. NoScript blocks Flash objects for sites on which you have not allowed scripting. Unless this has changed with FF4, but I know the Noscript and Flashblock authors sometime read this blog, so perhaps one of them can straighten me out.

  14. Houston

    I was waiting for someone to mention ABP as the perfect compliment to NoScript.

  15. redwolfe_98

    the post makes it sound like you cannot control javascript, in IE (internet explorer) when, in fact, controlling javascript in IE is very simple.. just follow MS’s recommendation for using high security settings for the “internet zone” while adding sites (which need javascript) to IE’s “trusted zone”, as necessary.. this is a very simple and easy way to control javascript, in IE..

  16. Kooberfacer

    I dont think it can be said enough but thanks for the heads up anyways.I do use Java script but im remain very aware of how folks can exploit it.
    While some block it entirely ,i simply wont be scared away because of what MIGHT happen.Still that being said ,be aware of it which is the jist i get from this post.

  17. Chris

    I love NoScript. In addition to thwarting all kinds of nasties from ads to malware, it raises awareness about how lazy site administrators use external script sources and thus provide nice data mining opportunities (read: Analytics, scriptaculous etc.).

  18. Amelia@ Ethical Hacking

    In Firefox, you’ll be almost always protected if you are using an updated or patched JS. Updating is easy and it’s typically automatic.

    My second line of defense is also NoScript. I’ve been using this program for several months now and it works wonders. I also use it to open webpages and websites (with tons of unnecessary flash-based and JS-based ads) to load faster. It’s great if you only want the site’s text to appear – awesome of news, blogs, ezine articles, forums, etc…

    1. Josh

      If by JS you mean Javascript then I think you’re confusing it with Java (or the Java Runtime Environment, to be more precise). The Java Runtime Environment is a major attack vector and it needs to be patched regularly. The best protection against malicious Javascript is to just not run it unless you need to.

      I don’t think Firefox auto-updates Java without the user’s consent. I stopped using it in favor of Chrome a while back though so it’s possible it’s a new feature or option that I missed.

      One thing I like about Chrome is that it will block any plugins from running if they are out of date. With Chrome you’re prompted to update the plugin every time you try to run it. It’s a great way to nag people into updating. You are still given the option to manually allow it to run on a case by case basis as you browse.

Comments are closed.