I've started writing my diploma thesis about AJAX application security few weeks ago, and I'm having some minor problems. I'm trying to find any vulnerability that is specific to AJAX, but can't find any valuable. It seems that XMLHttpRequest bugs regarding HTTP response splitting and web cache poisoning (link) have been mostly fixed, so the most interesting thing would be the Javascript Hijacking (link). I must say that this also looks like primary the XSS problem, rather than a new exploit opportunity.
The OWASP Top 10 (link) vulnerabilities are just too much non AJAX specific and Top 10 Ajax Security Holes and Driving Factors (link) don't seem too deep.
Also, client attacks that are very interesting, like XSS proxy (link) and JS port scanning (link) are not really using much AJAX.
I guess I'll have to find out something myself :)
Wednesday, April 11, 2007
Friday, April 6, 2007
Javascript security for newbies
Hi all. I'm gonna start my blog with a cut&paste from comp.lang.javascript newsgroup quoting the post I recently saw. If you think about it, the original post was a pretty nice idea:
On Feb 6, 4:37 pm, "Lucas Kruijswijk"
wrote:
anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.
Please don't do this!
The full posting is on
link
On Feb 6, 4:37 pm, "Lucas Kruijswijk"
wrote:
> Hello all,
The words password and JavaScript send a chill down my spine. Remember> I have a security question. Instead of heaving a session key,
> I was thinking to hold the password of some application in
> a Javascript variable.
> Each time a http (or https) request is send from Javascript,
> I also send the password. The server checks the password
> and sends back the result.
anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.
> In this way, no need for session.
> Is there a security problem with this kind of programming?
> The only thing I could think of, is that in Firefox and firebug
> someone could access the variable to get the password. But
> that is a risk I take.
> I am more concerned that some evil website could steal the
> password by some other Javascript. But I could not find
> a way, so, I assume this is rather safe.
> Or, does someone disagree?
> Regards,
The full posting is on
link
Subscribe to:
Posts (Atom)