A question about scripting

[ITWhore]

I have set my Internet Explorer security options such that scripting (both Active and Java) is prompted.  Is there any way for me to figure out what is actually in the script before allowing or disallowing it?

[JBB]

Sort of.  If you come to a page that has a script, you're going to get prompted before you can determine what the script has in it.  However, if you download the source code for the page and don't simply click through to it, you can view the source for the page.  I can see that doing this would be a real pain.  If you do click through and get prompted, decline to allow the script to run and then view the source.

The script itself may be embedded in the source for the page in script tags or it may be linked to the page.  If it is linked, you can download the file that contains the script and look at it that way.

I know of no utility that will warn you ahead of time what the script does.  The only way I know of is to analyze the script itself.

Hope this helps.

[The Gorn]

JBB is right. He's talking mainly about Javascript (where the code is all in the open) but the problem is even worse for ActiveX or Java. The latter are compiled and you have no way to know.

In the worst case, visiting some unpatched, virally infected web sites will bestow viruses or adware upon your PC if you use Internet Explorer. Just "looking" at them will screw you, you don't even have to do anything.

This was the infection vector of the Nimda/code red virus from a few years ago. My unpatched NT4 box was screwed, so I should know.

[bushsr41]

can't you just do a "view" "source" form IE when the scripting message comes up or before?

my scriptstock = recursive loop

[JBB]

Possibly, if that option is offered by IE; however, I don't believe it is offered.  I believe that when it prompts you to run the script, you either run it or don't run it.

Also, Goddard is correct, server-side scripting language run on the server and you have no way of knowing what they do exactly; however, in the case of server-side scripts, only the results of the scripts are sent to the client computer (your machine / IE / whatever browser you use).  Consequently, there are some limitations as to what viruses that a server side script can accidentally pass down to you.  

Essentially either the author of the server-side script must have written the script with the malicious intention to infect your machine by passing something down or the source directory for the web site on the server must have been infected and corrupted by the virus, meaning the web server was infected and the admin (firewall and/or web server) is either asleep at the wheel, or its a new virus that is unshielded against.

But your question was how to view the source for the script before running it.  You can't view the source for server-side scripts unless you have access to the view the code on the web server that runs them.

[The Gorn]

I was describing ActiveX and Java a_pplets that are downloaded to the web browser and which really do run on your own workstation. These things are downloaded as compiled gook (ActiveX is Win32 compiled binary, Java is bytecode) and can't be inspected as a practical matter.

This is the stuff that the 'Internet Security' options in IE controls, but it's a bulk rate level of control - you permit or deny by domain and "zone" (internet zone, other trust level zones.)

I doubt a server side script can do all that much except be really really annoying...

[JBB]

Yep, I agree.  One thing a server-side script could do (in-theory) is to detect the browser you're connected with and pass down a client-side script in the source it serves up, meant to take advantage of some browser-specific vulnerability.  It can also do things like forward you to a page with a virus, etc.  Lots of possibilities, but they pretty much all require malicious intent on the part of the web developer who created the script, unless the web server itself gets infected with some kind of bug that writes itself into the source being served up.

[The Gorn]

All the virus and adware fragged PCs I've seen, doing a little freelance tech support, have been the Internet Explorer users beholden to the "I am an utterly oblivious end user and I worship Microsoft" thing.

You tell 'em that they could easily do this and it would prevent 90% of their virus problems, and you might as well wave a mirror over their face to see if it fogs, indicating life...