funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Evil Javascript: Web 2.0 As A Story To Be Destroyed by Hackers

From: "Fergie" <fergdawg () netzero net>
Date: Wed, 7 Feb 2007 23:50:42 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you read and absorb no other security-related story this week,
you'd be well-advised to read and understand this one.

And if you think I'm kidding... don't. :-)

As Ryan mentions in this article, NoScript rocks as a Firefox
plug-in:

http:/noscript.net/

:-)

Via 27B Stroke 6.

[snip]

The best conference presenters have a story to tell, and this morning,
Billy Hoffman -- the lead researcher at Web application security company
SPI Dynamics, had a great story to tell Wednesday morning at the RSA
security conference about how all your favorite new Web 2.0 applications
are a boon to criminals.

Tradtional web applications have an input box that lets you send
information to a webserver, which then passes the info to a datab ase or
application in the background, and your browser waits for a response and
then you are taken to a new page. Websites that use AJAX use a powerful
combination of JavaScript and continual communication with the server in
background, removing the lag associated with page refreshes and letting
sites like Google Maps feel more like desktop applications.

The problem -- as many know is that JavaScript is a very powerful language
- -- and when developers aren't careful it's possible to insert other
JavaScript into a website via a link that lets an attacker do bad things,
like delete your account if you click on a link or visit an evil page.

[snip]

More:
http://blog.wired.com/27bstroke6/2007/02/web_20_as_a_sto.html

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFFymXJq1pz9mNUZTMRAospAKD/5CLyEcAyOAy4CIGfgZQ85dJ+MQCgvPY0
ZhL/iEKU/JTJTxO2TwrKGOU=
=NKUg
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: