[thelist] ajax, javascript libraries - security.

trevor trevor at intospace.ca
Thu Apr 12 13:19:27 CDT 2007

hi  folks,
recently read an article on securityfocus.com, at this link: 
http://www.securityfocus.com/news/11456  entitled "Developers warned to 
secure AJAX design".    they refer to a study and paper issued by fortify 
security, which i also read.

the general idea of the two articles is that libraries such as 
scriptaculous, dojo, YUI, and others are not clearly enough stating the 
cross-site javascript hijacking issues, and that those libraries actually 
**encourage** practices that are insecure, specifically such as using JSON 
to pass sensitive data, (especially if the json object is cached), using GET 
in bad places (more well known already), and taking advantage of cacheing 
for performance gains.

but while they point out their concern, they only barely address solutions, 
and i admit that one of their solutions i did not understand how it secured 
anything.  but technically, they weren't promising any solutions, just 
drawing attention to this as a security issue.  so i emailed them for some 
extra details, but haven't yet heard back from them.   i'm surprised also 
that they did not have a forum to comment on the fortify article, it's a 
pdf - and you have to hand over personal info in order to d/l it.   seems a 
tad unfriendly, but anyway, their paper did seem to bring up some realistic 

so...i'm looking for opinions and resources that discuss these issues.  - 
any of the ajax/javascrip guru's here have any advice?

thanks kindly, trevor 

More information about the thelist mailing list