[thelist] ajax, javascript libraries - security.
trevor
trevor at intospace.ca
Thu Apr 12 13:19:27 CDT 2007
hi folks,
recently read an article on securityfocus.com, at this link:
http://www.securityfocus.com/news/11456 entitled "Developers warned to
secure AJAX design". they refer to a study and paper issued by fortify
security, which i also read.
the general idea of the two articles is that libraries such as
scriptaculous, dojo, YUI, and others are not clearly enough stating the
cross-site javascript hijacking issues, and that those libraries actually
**encourage** practices that are insecure, specifically such as using JSON
to pass sensitive data, (especially if the json object is cached), using GET
in bad places (more well known already), and taking advantage of cacheing
for performance gains.
but while they point out their concern, they only barely address solutions,
and i admit that one of their solutions i did not understand how it secured
anything. but technically, they weren't promising any solutions, just
drawing attention to this as a security issue. so i emailed them for some
extra details, but haven't yet heard back from them. i'm surprised also
that they did not have a forum to comment on the fortify article, it's a
pdf - and you have to hand over personal info in order to d/l it. seems a
tad unfriendly, but anyway, their paper did seem to bring up some realistic
concerns.
so...i'm looking for opinions and resources that discuss these issues. -
any of the ajax/javascrip guru's here have any advice?
thanks kindly, trevor
More information about the thelist
mailing list