October 20, 2005
@ 09:07 PM
Comments [2]
Knowing the Problem is Half the Battle

It seems some folks at TheServerSide.com have started bashing AJAX because they see it as a threat to Java. This has led to fairly ridiculous posts such as this one entitled But most of all samy is my hero which states

The story is, a myspace user named samy wanted to be popular. He wanted to make his page do things that others couldn’t and in the process devised a cross system scripting (XSS) attack that managed to add his profile to more then a million other users of the system. To do this he used a combination of AJAX and JavaScript.

It is not the intention to make samy even more famous but he has exposed a serious weakness in the AJAX security model. All samy did was figure out how to upload some JavaScript into his profile and this was despite myspace’s best efforts to limit this type of activity.

With respect to security, the web is already a hostile environment. Will a move to use AJAX and JavaScript further enlarge the security holes that already exist? Could myspace have done more to prevent this type of attack and still afford their users the flexibility to manage their pages as they do now?

Even though I haven't looked at the code of the exploit, I think it is fair to say that this issue has little to do with "the AJAX security model" as implied by the author of the post. Any system that accept user input has to worry about how they scrub the data due to malicious users. Not properly scrubbing input data leads to all sorts of security problems including buffer overflows and cross site scripting attacks.

I'd suggest that some of the folks on TheServerSide need to read up on some of the FAQs on cross site scripting attacks before blaming AJAX for problems that have nothing to do with it.


 

Categories: Web Development
Tracked by:
"mediale affari" (mediale affari) [Trackback]
"midi colonna sonore" (midi colonna sonore) [Trackback]
"jhonny depp" (jhonny depp) [Trackback]
"albergo bournemouth" (albergo bournemouth) [Trackback]
"Steve Brock Ministries" (Steve Brock Ministries) [Trackback]
"londra big ben" (londra big ben) [Trackback]
"calendario 2003" (calendario 2003) [Trackback]
"memory card" (memory card) [Trackback]
"new york four seasons hotel" (new york four seasons hotel) [Trackback]
"MUSIC - Bethlehem Morning" (MUSIC - Bethlehem Morning) [Trackback]
"immagini disney" (immagini disney) [Trackback]
"gioco scaricare gratis pc" (gioco scaricare gratis pc) [Trackback]
"bionde masturbandosi" (bionde masturbandosi) [Trackback]
"giochi carta regolamento" (giochi carta regolamento) [Trackback]
"MUSIC - Gloria" (MUSIC - Gloria) [Trackback]
"PRODUCTS" (PRODUCTS) [Trackback]
"amministratore condominiale" (amministratore condominiale) [Trackback]
"vacanza ad ischia" (vacanza ad ischia) [Trackback]
"freddissimo gradito papa" (freddissimo gradito papa) [Trackback]
"l attimo fuggente" (l attimo fuggente) [Trackback]
"val d aosta" (val d aosta) [Trackback]
"gioco adulto gratis" (gioco adulto gratis) [Trackback]
"Steve Brock Ministries" (Steve Brock Ministries) [Trackback]
"Steve Brock Ministries" (Steve Brock Ministries) [Trackback]
"Steve Brock Ministries" (Steve Brock Ministries) [Trackback]
"MUSIC - Mary Did You Know/What Child Is This?" (MUSIC - Mary Did You Know/What ... [Trackback]
"HOME" (HOME) [Trackback]
"MUSIC" (MUSIC) [Trackback]
"PHOTOS" (PHOTOS) [Trackback]
"PARTNERS" (PARTNERS) [Trackback]
"SCHEDULE" (SCHEDULE) [Trackback]
"perline gioiello" (perline gioiello) [Trackback]
"Steve Brock Ministries" (Steve Brock Ministries) [Trackback]
"scuola superiore" (scuola superiore) [Trackback]
"CONTACT" (CONTACT) [Trackback]
"OUTREACH" (OUTREACH) [Trackback]
"torte bindi" (torte bindi) [Trackback]
"pulcino fottilo nella residenza" (pulcino fottilo nella residenza) [Trackback]
"albergo firenze hotel" (albergo firenze hotel) [Trackback]
"medio apparecchio" (medio apparecchio) [Trackback]
« Being Black in America | Home | Web 2.0 Bozo Bit Reflipped »
Friday, 21 October 2005 05:05:54 (GMT Daylight Time, UTC+01:00)
Interesting interview with the author, he claims MySpace does a very good job of scrubbing input and he was really taking advantage of browser bugs rather than MySpace.

http://blog.outer-court.com/archive/2005-10-14-n81.html
Gordon Weakliem
Friday, 21 October 2005 16:05:46 (GMT Daylight Time, UTC+01:00)
This comment is right on:

"News at 11: TCP/IP and life in general are not secure. Death is the only certainty in life. In fact, we could securily say that insecurity is far from impossible -- it is inevitable.

We can try to mitigate the impact, but ultimately, nothing can be secured unless we learn how to secure our bodies and minds.

All this blaming of insecurity on this or that technology is nonsense. It's AJAX! Nah... it's the browser. Nah, it's the server. Nah, it's the wire. Nah, it's the blood. Nah, it's our expectations... Take away any of these elements and the "security break" that Samy performed cannot happen. People will NEVER find a comfortable way to secure assets. Having an asset is having an insecurity. Only a very obstinate person does not see this.

As soon as you acquire an asset, right away your mind is beset with worries of protecting it and securing it. If it truly was an asset, it should then secure itself and even secure its owner, as opposed to cause its hapless owner to get early gray hair and ulcers trying to secure it."
PeterCashmore
Comments are closed.