Javascript has become a popular language in the 21st century. There are roughly 1.6 billion websites globally, and over 95% of them (1.52 billion websites) used Javascript. It is widely used for developing web applications, especially the front-end aspect that focuses on aesthetics and animations. If you are interested in hacking web applications, it is highly advisable to learn Javascript at an intermediate level. All indications show that Javascript will become the predominant language used in developing web applications for the foreseeable future. To properly exploit a web application, you must understand the code used to create that web application.
XSS is a popular web application vulnerabilities found in about 50% of all web applications. These vulnerabilities work by inserting Javascript directly into the webserver, and whenever someone loads that webpage, the code will execute. Typically, the code is submitted through input forms such as a comment section on a webpage or a search bar. To perform this type of attack, you must understand how to create Javascript scripts that will perform meaningful exploits when executed on a client machine.
Analyzing Source Code
If you use the Google Chrome browser, you can right-click anywhere on a webpage and select "inspect the source code." By doing so, you can read and analyze any webpage to search for potential vulnerabilities. Since most of the world's websites use Javascript, it is important to know how to read and recognize common security mistakes written in Javascript. This way, you will know what your options are for hacking into that application. For example, you may realize that user input is not properly sanitized, so they are vulnerable to an XSS attack or a reflected XSS. Also, if you understand the different Javascript libraries, you can recognize certain vulnerabilities by utilizing the libraries used to create the application.
Another attack vector that can be performed with Javascript is Session Hijacking. For instance, whenever you log in to an application like Facebook, Instagram, or TikTok, it is not required to log in to that application every time. This is due to a session established between your machine and that web server. Using Javascript, you can access cookies that will allow you to retrieve user session IDs and hijack that session, effectively obtaining the user's access level whose ID you stole. So if you stole the user session ID of an admin-level user, you can execute tasks that an admin-level user could do for a certain amount of time.
Cross-site request forgery (CSRF/XSRF)
This Attack type attempts to trick a browser into executing a request on a website that the user is already logged into, even if the website is not open at the time. Think of sites like Facebook or Instagram where people usually stay logged in, someone may use this type of attack by getting you to click on a link, and that link contains code that will automatically make a post on your behalf. If CSRF is used on a target site that uses cookies, this attack becomes more potent because you can obtain higher authorization by getting access to the cookies. According to Veracode, roughly 60% of applications are vulnerable to a CSRF attack.
Conclusion
Javascript is a popular programming language for web application development, alongside HTML & CSS. Javascript is used in 95% of applications worldwide, and it is becoming the backbone of most user-facing applications. If you want to hack into these applications, having a good understanding of Javascript will enable you to become proficient in popular web-based attacks like XSS, CSRF, and session hijacking. Also, once you know how to read Javascript, you can read the source code of web pages to identify vulnerabilities that could lead to Zero-Day exploits. Overall, to properly hack into web applications, you must understand its underlying code, and for the vast majority of applications, this is Javascript.
