Category: JavaScript

Aug 12 2017

faker.js – Tool To Generate Fake Data For Testing

faker.js is a tool to generate fake data in Node.js and in the browser, it has a lot of different data types to enable you to generate very customised and complete sets of fake or mock data for testing purposes. It also supports multiple languages and locales and can generate a lot of data types […] The post faker.js – Tool To...

Read the full post at
Mar 01 2016

Spam offering fake Visa benefits, rewards leads to TeslaCrypt ransomware

Spam campaign baits users with Visa Total Rewards emails containing malware that leads to Trojan.Cryptolocker.N infections.

Aug 04 2015

DRAM “Bitflipping” exploit for attacking PCs: Just add JavaScript

In March, researchers revealed one of the more impressive if slightly esoteric hacks in recent memory—an attack that exploited physical weaknesses in computer memory chips to hijack the operating system running on them. Now a separate research team has unveiled techniques that make the attack more practical by allowing hacked or malicious websites to carry it out against unsuspecting visitors.

The "bitflipping" attack exploits physical flaws in certain DDR3 chip modules. By repeatedly accessing specific memory locations millions of times per second, attackers can cause zeroes to change to ones and vice versa in nearby memory locations. These bitflips can make it possible for an untrusted application to gain nearly unfettered system privileges or to bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources. Early versions of the attack worked only by running special code that wasn't practical in website environments, making the weakness hard to exploit in large, drive-by-style campaigns.

Last week, researchers published a bitflipping method that relies on JavaScript code used by standard browsers. Rowhammer.js, as the new proof-of-concept attack has been dubbed, is slow, and so far it only works on a Lenovo x230 Ivy Bridge Laptop running default settings and on a Haswell CPU if its refresh interval is increased as gamers sometimes do to increase system performance. And even then, the researchers were unable to use the attack to gain root access. Despite the limitations, however, the modified attack does what has never been done before—achieving a bitflipping attack using nothing more than the JavaScript allowed by every modern browser.

Read 5 remaining paragraphs | Comments

Dec 17 2014

Meet FlashFlood, the lightweight script that causes websites to falter

People have grown so dependent on websites to shop, travel, and socialize that we often forget how easy it is to slow or completely shut down the underlying server. A case in point is a new lightweight script that causes many websites to falter.

Dubbed FlashFlood, the looped JavaScript bombards a website with requests in a way that bypasses server defenses designed to protect against crashes. It can be run from computers with modest bandwidth and hardware resources. Researchers from security firm WhiteHat Security said attackers could lure unwitting participants into taking part in denial-of-service attacks, through cross-site scripting (XSS) attacks, or by tricking large numbers of people into visiting an innocuous-looking link. In a blog post published Tuesday, they wrote:

It works by sending tons of HTTP requests using different parameter value pairs each time, to bypass caching servers like Varnish. Ultimately it’s not a good idea to ever use this kind of code as an adversary because it would be flooding from their own IP address. So instead this is much more likely to be used by an adversary who tricks a large swath of people into executing the code. And as Matt points out in the video, it’s probably going to end up in XSS code at some point.

FlashFlood is particularly potent against heavy database-driven sites if they rely on caching to protect themselves. Many sites running on Drupal are a good example. The researchers estimate it would take anywhere from four to 40 machines to take down an average Apache system. "I've run into the problem before where people seem to not understand how this works, or even that it's possible to do this, despite multiple attempts at trying to explain it multiple times," WhiteHat Security researcher Robert Hansen wrote.

Read on Ars Technica | Comments