Javascript. Worth The Time?

[Phreakdaline5]

So I want to preface this by saying... I'm really only doing this because I find it fun, not because I think it's going to be a serious part of my career path. But here's where I'm at.

I am really pretty new when it comes to any advanced computing topics. Anything I do know, I learned by figuring it out myself, browsing for free tutorials and courses, and bugging the pros for information =). I admit that I'm considered a script kiddie when it comes to hacking, but I do everything I do to try and learn how it works, while seeing what it can do (in a totally legitimate and legal way to be clear). I have really been wanting to get into programming, not as a career, but to suppliment my skills as a future security proffessional. I started trying to learn C, Java, Python... all on my own, based on different recommendations. All the free resources I could find out there were confusing, dry, and difficult for me to grasp as a zero experience beginner.

Then I stumbled upon the Hak5 episode where they reviewed www.Codeacademy.com, as well as some other resources. Just to try it out I jumped on and started their beginner Javascript course, and absolutely loved it. Not only is it easy to understand, the format they use for teaching just works, and is alot of fun. Frankly I never expected to feel that way about programming of all things. I've continued it and I'm now going through their intermediate focus courses.

Here's my question. How useful is Javascript? I've heard some rather negative things about it, and I just want to get some of your opinions. Like I said at the beginning, I'm doing it anyways, because I finally get it, and it's working/fun. I do still intend to start learning some more useful and low level languages like C and possibly Python, just trying to guage how helpful Javascript is going to be in reguards to learning other languages, and what it can be used for in general. Also, say I do develop a proficieny, and want to move on to something else, where should I start?

Thanks for always being helpful by the way Hak5 community. I haven't posted much but I've gleaned much knowledge and had a lot of questions answered just by reading others posts. =)

-Nick

[Sitwon]

There's absolutely nothing wrong with learning JavaScript and I'm sure it will be well worth your time. Especially as we move more and more browser-centric model of computing JavaScript will become increasingly valuable and relevant. Keep in mind that with and understanding of JavaScript not only can you write your own code for web pages that you publish, but you can also pick apart the code that other people have published or create browser add-ons which inject your own custom scripts into other peoples websites. You can do some really powerful things when armed with a little knowledge of JavaScript, some creativity, and enough free time to experiment with it.

C and Python are also good languages, and I can point you to some good resources for learning them, if you're interested.

Learning to write code is extremely empowering, and learning any programming language will make it easier to learn others.

[digip]

Javascript is what the internet runs on. Whether people think about it or not, go to any site and view the source of the page. There will more than likely, be some form of it used on nearly every site you visit. AJAX for example, and jQuery, are more what you see these days, but they are more or less subsets of Javascript and asynchronous http requests. Many attacks on the web, such as XSS, are Javascript, and many apps that run on your PC and Mobile devices, are HTML based these days, and use it even while offline, whether you knew it or not. KOS did a great talk at Derbycon last year about XSS on the desktop and on devices, via things like Google Maps app for phones and even Skype, so there is no getting away from it, Javascript is highly used today. It's cross platform and runs on every OS that uses a browser and web based apps.

Edited April 18, 2012 by digip

[Phreakdaline5]

Well those are both very encouraging answers. Thanks for the insight, I guess this is going to be more beneficial than I thought. Also thanks for the link to that other page, looks like a lot of good info there that I'll be taking advantage of. Any other advice is always welcome.

[Jason Cooper]

JavaScript can also be run now server side with node.js

A language that be used to code both Client and Server side on the web is a very powerful thing to learn and while it hasn't yet prised perl from my hands as the language of choice it is running a close second.

[bobbyb1980]

I've been doing an hour or two per day of Python for 6 months or so now and while it is extremely time consuming I have to say it's been worth it. I bought a giant 1100 page book on it and just work through that. I plan on starting C after this book. It's pretty amazing how versatile it is and the amount of applications it has, from security software to financial forecasting to google and youtube (which are both mostly C based and Python). I think from doing it, it has also taught me to view a lot of tasks in a different light.

I think what language to learn really depends on what you want to do with it.

[entity]

Jason Cooper JavaScript can also be run on server side with Google's V8 engine no ? ... the same thing node.js runs on

[Tox1k]

I'd recommend learning C first, seeing as Javascript is based off of C, and programming in C will develope better habits than some nasty java habits.

[digip]

I'd recommend learning C first, seeing as Javascript is based off of C, and programming in C will develope better habits than some nasty java habits.

I'd say no to this. C is not only complex and requires more specific knowledge of the OS itself, but also for a completely different subtext of what you would end up doing with it. If you want to learn object oriented programming and make your own programs that you can compile to run on different systems, then yes, learn C, but alone it is no reason to skip over Javascript. Especially if it is what got him/her inspired to learn in the first place. I myself have tried learning C, and to be honest, I don't care to learn it. Its foreign to me and for what I do, I don't need it. Javascript, for what little I do know, makes more sense to me for what I do with it (web design, xss, etc) but is also a great place to get started with programming, even if just for the fundamentals. Many of the concepts of Javascript apply to many different languages, and I see no reason to skip it just to learn C/C++.

I think if you have the time and interest, then learn both C and Javascript, but don't let someone tell you any one language should be learned over another or before another. Everyone has their preferences, but if it interests you, then pursue it. If not, move on to the next thing that gets you inspired.

Edited April 19, 2012 by digip

[Tox1k]

Well, he did say he wanted to be a security professional, not a web designer. Therefore C would be ideal. While Java is what the internet runs on, C is multi-platform, lower-level, and more versatile for a security professional.

Many of the concepts of Javascript apply to many different languages, and I see no reason to skip it just to learn C/C++.

That's like saying learn spanish to learn latin, then you can expand to french. You'd want to learn latin first, because both spanish and french are romantic languages based off of latin. Java and C#/C++ are based off of C. Java does have plenty of nasty habits that will not work in C++/C# which are more likely what he would be using as a security professional, be it network or software. The fundamentals of C will apply to Java or C++, but the most of fundamentals of Java will most likely not apply to the fundamentals of C++. Java is not the ideal starting language, simply for those reasons. You can do it, but it will make expanding more difficult.

However, you're not going to learn anything if you're not interested, so pick whichever one is relevant to your interests.

[Jason Cooper]

JavaScript can also be run on server side with Google's V8 engine no ? ... the same thing node.js runs on

Kind of, the v8 engine is designed to be included in other applications. node.js takes the v8 engine, as you say, but combines it with other libraries to give a really good environment for developing server side code.

The general advice I would give is to use the v8 engine if you are looking to include JavaScript support in an application, but to use node.js if you are intending to code server side JavaScript, especially if you want a lot of documentation and examples to look at when things get tricky.

[Sitwon]

I myself have tried learning C, and to be honest, I don't care to learn it. Its foreign to me and for what I do, I don't need it. Javascript, for what little I do know, makes more sense to me for what I do with it (web design, xss, etc) but is also a great place to get started with programming, even if just for the fundamentals.

If you don't know C what makes you so qualified to bash it? Especially in comparison to a language you admit to knowing poorly. Please don't trash talk about languages you hardly know. Comparatively, C is not a very complex language. The syntax is nearly identical to JavaScript but grammatically it is far simpler. C is also not a particularly good language for learning object-oriented programming, as it has no built-in support for the OOP paradigm (unlike JavaScript which is a prototype-based language and inherently object-oriented).

I think if you have the time and interest, then learn both C and Javascript, but don't let someone tell you any one language should be learned over another or before another. Everyone has their preferences, but if it interests you, then pursue it. If not, move on to the next thing that gets you inspired.

Very true words. I agree 100%.

Well, he did say he wanted to be a security professional, not a web designer. Therefore C would be ideal. While Java is what the internet runs on, C is multi-platform, lower-level, and more versatile for a security professional.

Not just ideal, I would argue that learning C would be essential to becoming a well-rounded security professional. That doesn't mean you have to learn it first or even right away. Contrary to what you'll hear from a lot of developers, I have not found and credible scientific evidence to suggest that the order in which you learn a language has any influence on good of programmer you will become. Some languages are easier to teach/learn first, but there's no such thing a wrong first language. Learn whatever language will be most immediately useful to you (or learn any language you can and use it as often as you can). Then learn other languages as you need them. If you don't need C yet, don't learn it. I expect that if you go into the security field you will need to learn it eventually, but it's not a big language, no reason to rush into it.

That's like saying learn spanish to learn latin, then you can expand to french. You'd want to learn latin first, because both spanish and french are romantic languages based off of latin.

I'm not sure that this is a particularly good analogy. If the goal is to learn French and Spanish, then just learn French and Spanish. Learning Latin first (or at all) won't save you any time or effort. On the contrary, you're more likely to waste time learning the quirks of Latin which have nothing at all to do with French or Spanish anyways.

Or put another way, you don't need to learn Latin in order to learn Italian. And it's faster/easier to just start learning Italian then to try to learn Latin and then Italian.

[digip]

If you don't know C what makes you so qualified to bash it? Especially in comparison to a language you admit to knowing poorly. Please don't trash talk about languages you hardly know. Comparatively, C is not a very complex language. The syntax is nearly identical to JavaScript but grammatically it is far simpler. C is also not a particularly good language for learning object-oriented programming, as it has no built-in support for the OOP paradigm (unlike JavaScript which is a prototype-based language and inherently object-oriented).

I wasn't trashing C. Far from it. Go back adn reread what I posted. My opinion was just that, but my point was, don't quit learning Javascript just to learn C. My opinion of C is that I didn't personally care for learning it, but I wasn't telling him not to learn C because of that, only stating how I felt about it. They were two separate thoughts, one being I don't care for it and the other, I was telling him don't let anyone tell you to learn one language over another, or that one is somehow better to learn than the other.

@Tox1k - I as referring to Javascript specifically, not Java (or Sun/Oracle Java, which I think you were referring to??), but either way, I think that if someone is learning a language and it got them inspired to do/learn more and investigate/hack, experiment, etc, I see no fault in it and more power to them. I'd rather see encouragement to learn all languages, vs dropping one to lean the other, and I think that was the point that was missed by @Sitwon.

As for the topic of security, there is plenty of things to work through with respect to Javascript and flaws, but the same can be said for any language. The way things are going these days, most attacks are web based if not attacked directly through using a browser alone with no other tools. XSS is still an issue today that plagues half the internet. The fact that javascript is embedded into apps now and runs across 99% of all devices today while offline, makes it that much more prevalent as an attack vector, ie: skype XSS attacks, email and phone apps that are web based but run locally with root privleges, etc. What function of the internet do you use today, that doesn't have javascript used in some manner?

[Sitwon]

I wasn't trashing C. Far from it. Go back adn reread what I posted. My opinion was just that, but my point was, don't quit learning Javascript just to learn C. My opinion of C is that I didn't personally care for learning it, but I wasn't telling him not to learn C because of that, only stating how I felt about it. They were two separate thoughts, one being I don't care for it and the other, I was telling him don't let anyone tell you to learn one language over another, or that one is somehow better to learn than the other.

Look at my post again, I quoted you twice. I recognized that they were two separate thoughts and responded to them separately. I agree with your second thought with regards to not quitting JavaScript. However I was disagreeing with your "opinion" of the C language.

[Phreakdaline5]

Don't get me wrong here, I do realise that C will be an important language for me, and likely the one that I will tackle next, or a little later. I think the best way I've seen it put yet was when digip said

If you want to learn object oriented programming and make your own programs that you can compile to run on different systems, then yes, learn C, but alone it is no reason to skip over Javascript. Especially if it is what got him/her inspired to learn in the first place

The reason being, this really is the first time that trying to learn programming in any form, isn't a tedious chore to me. Not to say that it'll all just be fun, but I think from what I've seen and heard it'll end up being the best way for me to break into things, and leave this noobish state behind haha.

[Steve8x]

Yeah Javascript is pimp! I always liked it since the beginning!

EDIT: Updated Scripts... Added some new ones/ shorter code ones.

Besides writing your Javascript on your own web pages, I like to write little javascripts to be injected over other pages too! Check out these I wrote and you'll see what I mean... The following scripts can be used on facebooks site to achieve what each one does... They are prefixed with 'javascript:' because they are meant to be used from your browser's URL field, 'javascript:' tells it to execute the following as javascript rather then trying to interpret it as a url or a search.

NOTE * Latest versions of firefox for a while now have blocked the use of javascript via the 'javascript:' prefix from being used whatsoever! So either use firebug and execute the javascript from its console which will work, or an alternative browser.

NOTE * Chrome now removes the 'javascript:' if its on your clipboard with whatever you paste into the URL field (your javascript) so you have to manually type the 'javascript:' at the beginning of chrome's URL field after you've pasted the script, even if 'javascript:' was part of what you copied.

FB Login:

javascript:
login = document.forms['login_form'];
login.email.value = "youremail@whatever.com";
login.pass.value = "yourpassword";
login.submit();

This works from the homepage when not logged in, it takes the login form fills out the two necessary fields and submits it.

"login = document.forms[0];" could be used instead in this case, but I figured it is better to use the form's name as it's less likely to change, though they probably wont make a form besides the login form on the homepage that comes before it.

FB Login v2: (including enabling/disabling the 'stay logged in' checkbox aka persist_box

javascript:
login = document.forms['login_form'];

for(var i in login.elements)
{
	if(login.elements[i].id == "persist_box")
	{
		stayLoggedInCheckbox = login.elements[i];
	}
}

login.email.value = "";
login.pass.value = "";
stayLoggedInCheckbox.checked = 0;

login.submit();

Changing that one line into this 'stayLoggedInCheckbox.checked = 1;' will check the stay logged in checkbox instead of unchecking it

Then I realised I could shorten it even for like this: (because I like to write my scripts as short as possible [least lines])

FB Login v3:

javascript:
login = document.forms['login_form'];
stayLoggedInCheckbox = document.getElementById('persist_box');

login.email.value = "";
login.pass.value = "";
stayLoggedInCheckbox.checked = 1;

login.submit();

FB Logout:

javascript: document.forms.logout_form.submit();

Logs out if logged in...

could also be written like: ( :D )

javascript: document.forms['logout_form'].submit();

Fill out all open chat tab's text area's: (It was supposed to be send msg to everyone whose chat tabs are open, but I couldn't figure out how to actually send the message to anyone from any tab let alone everyone... It's a bit different from submitting a form I think for this one, someone better at javascript analyzing/debugging complete this script and get it working! xD)

javascript: 
ChatTabs = document.getElementById('fbDockChatTabs');
AllTabs = ChatTabs.getElementsByTagName('*');
for (i in AllTabs)
{
	var Tab = AllTabs[i];
	if(Tab.type == "textarea")
	{
		Tab.value = "Hello EVERYONE! LOLOLOLOL xD";
	}
}
void(0);

And my personal favorite one, and which was a little trickier than the others. Took me a few revisions until I got it working!

Post status update / Post on someone's wall: (whether you're somewhere where you'll post a status update for yourself, or on someone else' page where it will post there instead)

[Post Status Update v0.5]
javascript:
PageTextAreas = document.getElementsByTagName('textarea');
PageForms = document.getElementsByTagName('form');
StatusUpdateText = PageTextAreas[0];
StatusUpdateForm = PageForms[0];
for (i = 0; i < PageTextAreas.length; i++)
{
	var TextInput = PageTextAreas[i];
	if(TextInput.className.indexOf("uiTextareaAutogrow input mentionsTextarea textInput") != -1)
	{
		if(TextInput.className.indexOf("DOMControl_placeholder") != -1)
		{
			StatusUpdateText = TextInput;
			break;
		}
	}
}
for (i = 0; i < PageForms.length; i++)
{
	if(PageForms[i].action.indexOf("/ajax/updatestatus.php") != -1)
	{	
		StatusUpdateForm = PageForms[i];

		StatusUpdateText.value = "Yo, whats good everyone?! xD";
		StatusUpdateForm.submit();
	}
}
void(0);

I found that the text area of the page containing the keywords 'uiTextareaAutogrow input mentionsTextarea textInput' and 'DOMControl_placeholder' was the right place to put the text for status updates / wall posts and also that the action of the form responsible for them was containing '/ajax/updatestatus.php'! With both of those you can then modify the text and submit a status update!! I suppose an improvement could include a delay after filling out the text to for example allow for links that load content to be properly posted.

Alright there was some fun javascripts I was working on! Off to go and write some more!

Edited June 12, 2012 by Steve8x

[bobbyb1980]

It'd be nice to be able to get a shell using only javascript...

[digip]

It'd be nice to be able to get a shell using only javascript...

Well, that depends on the implementation, but I imagine if it has prototype like the v8 engine, might be able to xhtml something to call backend stuff, but for the most part, javascript would be just XSS, and cause some other process to happen, like an admin unknowingly clicking a link/form to send you his cookies/session, or run a command for you to open something up. Who knows, maybe some code monkeys already figured out ways to pop a shell with just JS. I know you can hide shell code to take over clients machines when visiting a page, but not sure on the other way around to pop a box the JS is placed on.

edit: although, thinking aobut it now, Kos does do something similar with phones and tablets that allow xss injection and can gain root to smartphones and such, but they need vulnerable programs, like skype or google maps and isn't really the OS's fault as much as faulty apps.

Edited June 10, 2012 by digip

[xero]

i suggest anyone interesting in computers should learn a programming language.

it helps you (at least a little) to gain a greater understanding of how computers

(on in the case of js) or application on them work/interact.

tech is constantly evolving. so to a point i see learning any language as a futile

exercise, since it will be outdated in a few years. but by that logic you learn/gain

noting.

js has been up and down for years. when i was first getting into web dev js was the

new hip thing (DHTML, lulz!). then js was almost taboo for a while everyone was running

their browsers w/ js disabled. but now it's back with a vengeance! many modern websites

will not even work without it. (AJAX FTW)

TL;DR

yes, i totally suggest learning js. it's pretty simple, and there are many other languages

that are also ECMA so syntactically they are very similar (e.g actionscript3)

Edited June 14, 2012 by xero