Secure Coding mailing list archives
How can we stop the spreading insecure coding examples at training classes, etc.?
From: pmeunier at purdue.edu (pmeunier at purdue.edu)
Date: Mon, 28 Aug 2006 16:40:45 -0400
Quoting "Wall, Kevin" <Kevin.Wall at qwest.com>: (clip)
At another point, while Atlas JavaScript gadgets was being demoed, someone asked if one could use XMLHttpRequest (XHR) to invoke _any_ URL. The speaker correctly answered "no; only back to the originating host:port from where the JavaScript was downloaded from". The questioner then remarked something like "oh, that's too bad". But instead of explaining why allowing cross-domain requests is inherently a BAD Thing, the speaker replied "oh, don't worry; we also provide you with some software [apparently a proxy of sorts -kww] that Microsoft wrote that you can put on your web server so your users can call out to any URL that they wish, so it's not limited to calling just pages on your own site." "Great, I thought. Why don't you also provide some mechanisms to automatically insert random XSS and SQL injection vulnerabilities into your code too." Sigh.
<snip> Kevin, Thanks, I almost fell out of my chair laughing. It reminds me of their "SOAP" idea to bypass those pesky firewalls. Apple also finds that security measure "unfortunate" without an explanation of the underlying security reasons: "Second, the domain of the URL request destination must be the same as the one that serves up the page containing the script. This means, unfortunately, that client-side scripts cannot fetch web service data from other sources..." (http://developer.apple.com/internet/webcontent/xmlhttpreq.html) But neverfear, tell your users who use Firefox to install the Greasemonkey extension, and hop, you can bypass this security nuisance (http://blog.monstuff.com/archives/000262.html -- though this entry points out it should be used only for development purposes and otherwise a bad idea). IE users just have to click OK in the "confirmation" dialog box that pops up. I hate JavaScript because it makes me feel so much at the mercy of web developers, who sometimes require it just to emulate an <A> link or a submit button... Pascal
Current thread:
- How can we stop the spreading insecure coding examples at training classes, etc.? Wall, Kevin (Aug 27)
- How can we stop the spreading insecure coding examples at training classes, etc.? pmeunier at purdue.edu (Aug 28)
- How can we stop the spreading insecure coding examples at training classes, etc.? pmeunier at purdue.edu (Aug 29)
- How can we stop the spreading insecure coding examples attraining classes, etc.? Tim Hollebeek (Aug 30)
- CERT C Programming Language Secure Coding Standard Robert C. Seacord (Aug 31)