funsec mailing list archives
Evil Javascript: Web 2.0 As A Story To Be Destroyed by Hackers
From: "Fergie" <fergdawg () netzero net>
Date: Wed, 7 Feb 2007 23:50:42 GMT
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you read and absorb no other security-related story this week, you'd be well-advised to read and understand this one. And if you think I'm kidding... don't. :-) As Ryan mentions in this article, NoScript rocks as a Firefox plug-in: http:/noscript.net/ :-) Via 27B Stroke 6. [snip] The best conference presenters have a story to tell, and this morning, Billy Hoffman -- the lead researcher at Web application security company SPI Dynamics, had a great story to tell Wednesday morning at the RSA security conference about how all your favorite new Web 2.0 applications are a boon to criminals. Tradtional web applications have an input box that lets you send information to a webserver, which then passes the info to a datab ase or application in the background, and your browser waits for a response and then you are taken to a new page. Websites that use AJAX use a powerful combination of JavaScript and continual communication with the server in background, removing the lag associated with page refreshes and letting sites like Google Maps feel more like desktop applications. The problem -- as many know is that JavaScript is a very powerful language - -- and when developers aren't careful it's possible to insert other JavaScript into a website via a link that lets an attacker do bad things, like delete your account if you click on a link or visit an evil page. [snip] More: http://blog.wired.com/27bstroke6/2007/02/web_20_as_a_sto.html - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFFymXJq1pz9mNUZTMRAospAKD/5CLyEcAyOAy4CIGfgZQ85dJ+MQCgvPY0 ZhL/iEKU/JTJTxO2TwrKGOU= =NKUg -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Evil Javascript: Web 2.0 As A Story To Be Destroyed by Hackers Fergie (Feb 07)