From time to time I visit the Diary of the internet storm center. Sometimes they write very interesting stuff and sometimes plain nonsense like repeating again and again the urban legend that allow_url_fopen protects against URL include vulnerabilities.

Today there was once again a very amusing post from Tom Liston from Intelguardians. The post is about a piece of encoded JavaScript malware(?) that was found on a site and the process of decoding it. While it is true that the encoding used in this case was not very smart the amusing part of this post is that it is a rant against JavaScript and JavaScript programmers. While he is at it he calls JavaScript a toy language and JavaScript programmers: wanna be real programmers.

When you read this you think that this guy has most probably never seen the amount of JavaScript behind large Web 2.0 sites or never seen the power of Firefox extensions that are completely written in JavaScript. You start thinking about him beeing an Internet Explorer user, which is kinda strange because most security professionals choose one of the real browsers like Firefox, Safari or Opera. Which does not mean that they are more secure but the amount of Firefox plugins for header/request manipulation alone, are reason enough for many professionals to use it for their daily work. And extensions like NoScript simply do not exist for IE. (Or am I wrong?)

So far the Firefox advertisement, back to the JavaScript malware. Tom continues to rant about the malware author beeing not so clever, because he used array notation to access the content of strings, which does not work according to Tom.

Turns out, it was the JavaScript jockey who wasn't so clever. Dude...
if you're out there and reading this, take some notes, ok? You can't
access a string using array notation: "a[c]" doesn't work. Here's how
you fix it: you need to replace "a[c]" with "a.substr(c, 1)"

At this point you have to smile. Lesson one you learn when working in web application security is that just because something does not work in your browser, this doesn't mean it will fail in another browser, too. Tom's observation is most probably correct, because you cannot access strings using array notation in this toy browser called Internet Explorer, but in browsers like Firefox or Opera this works perfectly.