How can I get a virus by just visiting a website? [duplicate]

It is common knowledge that you can get a virus just by visiting a website. Can anybody explain how this is possible ?

Examples in parens. There's a bug in the browser (IE), the javascript interpreter, or in a plugin (like flash or java). This bug leads to code execution - that part can be really complicated but it often involves a use-after-free bug and heap manipulation.

Then I've got some shellcode running. The shellcode must escape whatever protections the browser has - for a V8/Chrome bug you'd have to escape chrome's sandbox and defeat DEP and ASLR. For IE, you'd have to beat DEP and ASLR and then bust out of the low integrity mode. For Java you'd have to... do nothing - you're all golden. (That's why there's been a spate of java bugs.)

So now that I've got arbitrary code running on your machine, as you (you're not running as admin, right?), I can go download a file from the internet and run it, dropping some malware on your machine.

Are the viruses programmed in JavaScript ? (It would make sense since it is a programming language that runs locally.) If so, what JavaScript functions are the ones commonly used ?

Specifically - no. Javascript is an attack vector people will use to find a bug in a browser. They could also use Flash, Java, or Silverlight as an attack vector. In javascript's case, they write javascript to trigger the browser bug, and then the virus is eventually pulled down from the internet.


Unfortunately and perversely, there are any number of ways this could happen.

You are absolutely right to be astonished that a "reading device" like a browser could actively manipulate your own system (and do harm). Reading a book doesn't deplete your bank account and opening a newspaper doesn't hurt your children, so why can opening a website do all that and more?

The problem occurs whenever there is a possibility that foreign data from the internet, which we must always assume to be crafted with the utmost malicious intent, somehow manages to be executed by your system.

If you just sit at the command line and type wget http://evil.com/hitme.php, the wget HTTP client will simply write a binary dump of the request to your disk and nothing bad has happened (other than perhaps your disk filling up). But if you type the address into your browser, your browser is free to do whatever it wants -- format your hard disk, send your credit card details away, etc. It's up to you to trust your browser not to do that. Most browsers indeed attempt not to do those bad things, but we, the sheepusers have demanded that browsers be able to do ever more "clever tricks" and exhibit automatic behaviour based on instructions from the internet. Our demands have led to the creation of client-side code execution technologies like JavaScript and Flash, which download arbitrary, foreign, untrusted, malicious code and execute it, all for our pleasure.

The reason that the people who came up with those technologies weren't immediately lynched is because a) it made bunnies dance on our screens, and b) they claimed that they put sufficient safety checks into the design to prevent the arbitrary malicious code from manipulating the local system (e.g. not allowing to read/write the local disks, read/write the clipboard, read/write form fields in other tabs).

Unfortunately, the design approach to "first allow everything and then patchily cover up a few bad spots we can think of" is fundamentally flawed, and now we are facing a never-ending stream of new ways in which our client-side convenience features can be used to compromise our systems.

The only moderately safe way out is to disable JavaScript and plugins in your browser. Safe like we were in 1995.


The point that's really been sidestepped in these answers, that I really want to beat home, is this: the reason you can get a virus from a webpage is that some software you're running has a bug - a security vulnerability.

In every step of the process of creating the software, the creators of Flash; of your browser; of your operating system have tried to make sure random, malicious code from the internet can't just figure out a way to execute itself. Unfortunately, doing this is hard. Really hard.

So, like all humans, the developers of this software are bound to make mistakes: the HTML parser accidentally overwrites one byte in the stack when you end the html with </p. They accidentally used a signed int instead of an unsigned int. The javascript JIT-compiler accidentally tries to dereference an array-index into a null-pointer. All of these vulnerabilities plus millions more occur all the time in software, either because of lack of security knowledge, or an oversight, or even just a simple mistake. Software is simply way too complex to catch them all.

Because of this, operating systems have built-in mechanisms to prevent damage to the system, even when a vulnerability is found. Your OS probably has DEP and ASLR. Programs can have various protections added by the compiler. Browsers run at lower priveledges. Programs are run through automatic analysis and testing that can catch a lot of these vulnerabilities.

My point is, nobody is letting this happen - but it's impossible to design completely secure software, just like it's impossible to design a completely secure safe. Someone with enough time, knowledge, money and incentive will always find a way to crack it open. And the problem with this safe is, once some hacker cracks open their copy of it, they can easily open other copies around the world without leaving their room.