Full Disclosure mailing list archives
Re: JavaScript exploits via source code disclosure
From: Marsh Ray <marsh () extendedsubset com>
Date: Thu, 06 May 2010 11:59:25 -0500
I confess I don't understand all of what you wrote, but it doesn't have the ring of a bulletproof architecture. I prefer this one: Case B: Strong authentication and encryption using SSL. - Marsh On 5/6/2010 11:39 AM, PsychoBilly wrote:
************************ Cluster #[[ Marsh Ray ]] possibly emitted, @Time [[ 06/05/2010 17:42 ]] The Following #String **********************Adversary simply modifies your page in transit to not use the 'jcryption', or to leak him a copy of the session key.Tss Tss, I'm not stating client-side javascript is secure / can be obfuscated. Just provided a hint 1 - let's say it's a customer login area Case 1: legitimate user > usr+pw are transmitted encrypted, then ajax get/post calls are then still encrypted + each request is followed by a valid encrypted client session ID. Case 2: Opponent > trying to exploit login > the pb here is getting thru / not JS related // trying to exploit the ass > does not know any valid encrypted session ID > server side can drop this with minimum ressource. - not using encryption: server-side script drops connection ( as it has the duty to decrypt posts ) - leak a session key: ok, fine the opponent does have a unique ID that leads him to a login area. 2 - There's no login: it's an API // forget js because, yes, all the logic is in the oponent hands & executed on opponent machine ( so source encryption is useless ). 3- nobody can guess where/what is open on target machine, a proxy is giving one port/valid encrypted ID or just drops connection.This kind of thing will only deter people who don't know any better or people with little motivation to care about your data anyway. Using it is only an admission that you are either incompetent or don't have anything worth the slightest effort to steal. - Marsh
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- JavaScript exploits via source code disclosure Ed Carp (May 05)
- Re: JavaScript exploits via source code disclosure Marc Olive (May 06)
- Re: JavaScript exploits via source code disclosure Nick FitzGerald (May 06)
- <Possible follow-ups>
- Re: JavaScript exploits via source code disclosure Ed Carp (May 06)
- Re: JavaScript exploits via source code disclosure Valdis . Kletnieks (May 06)
- Re: JavaScript exploits via source code disclosure PsychoBilly (May 06)
- Re: JavaScript exploits via source code disclosure Marsh Ray (May 06)
- Re: JavaScript exploits via source code disclosure PsychoBilly (May 06)
- Re: JavaScript exploits via source code disclosure Marsh Ray (May 06)
- Re: JavaScript exploits via source code disclosure Christian Sciberras (May 06)
- Re: JavaScript exploits via source code disclosure Nick FitzGerald (May 06)
- Re: JavaScript exploits via source code disclosure Christian Sciberras (May 06)
- Re: JavaScript exploits via source code disclosure T Biehn (May 06)