Saturday, February 23, 2008

Frequent JavaScript Errors on Major Web Sites

I have been seeing more and more JavaScript errors on all kinds of web sites.

I wonder if the owners of these web sites don't notice the errors because they have turned off JavaScript error reporting in their browsers (if you care about your security and your web site I would recommend not doing this and report any errors you find to the owner of the web site).

The other option is, the owner of the web site never sees the JavaScript error. Because JavaScript is a client side technology its execution will occur on the machine that is requesting the web site. If something is different on that machine then the web site owner may not see that error, unless they are testing every browser combination - and even if they are in the case of XSS and other client side attacks.

For instance I have some JavaScript that loads up some frames. I have one user that gets a bogus site when logging in and those frames are loaded up. That doesn't happen to any other user. Chances are that error is something specific to that computer or that network that I would never see had that person not reported the error.

That is why it is important for everyone to report any errors they see to the web sites they use regularly.

Sometimes the owners of the web site cannot see what you are seeing.

And on that note web site owners that support hundreds or millions of customers need to make their support staff aware that these things CAN and DO happen and not treat customers like morons who report them because the staff is looking at the page and not seeing the same thing.

One other comment on this topic is that one site having this problem is using Urchin which has some JavaScript and an iframe containing who knows what. A lot of major web sites use Urchin and all sorts of software to track advertising and marketing. Many times the marketing staff demands to do these partnerships which put their customers at risk, and actually can hurt rather than help their business. I would suggest never include an iframe on any page other than static html and definitely not on a login page or e-commerce web site - and even then, an iframe can be used to change the content the user is getting in the main page on a static site - so I would personally never use one with content hosted by a third party and/or code that is not highly scrutinized by security experts - not the average web developer. Also when using Urchin, etc. it is crucial to constantly test an monitor - client side, not just server side code execution. Also hackers are smart enough not to send their malicious code to your monitoring system in many cases.