Full Disclosure mailing list archives
Re: JavaScript exploits via source code disclosure
From: "Elazar Broad" <elazar () hushmail com>
Date: Thu, 06 May 2010 13:59:44 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If his users are authenticated via say regular form login, he can pass some sort of hash which identifies the user and session to the service, with the authentication wrapper being server side, which begs the question, do you trust your users... How would such a firewall work/help anyway? It still has to make some sort of authorization decision, and if the services in question are not called by pages that are login protected, your back to square one. How do you pass some sort of 'I know this is the page calling me and not the attacker' without the client seeing that too? elazar On Thu, 06 May 2010 13:46:08 -0400 T Biehn <tbiehn () gmail com> wrote:
A proxy or 'web-service firewall' prior to the 'protected' web service is the correct answer. Obfuscating the client code be it JavaScript, Interpreted (Java, CLR, etc) or Native ignores the notion that the client controls hardware, OS, the executing process and the network. Signals can be intercepted at any layer. Any other assertion is ridiculous and a waste of time and effort. -Travis On Thu, May 6, 2010 at 1:08 PM, Elazar Broad <elazar () hushmail com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Unless you wrap your service methods with some form of an authentication, your webservice's are just as public as anyother"world" accessible part of your site. Are the pages callingtheseservices behind any sort of authentication? On Thu, 06 May 2010 01:44:07 -0400 Ed Carp <erc () pobox com>wrote:We've got a lot of JQuery code that calls back-end webservices,and we're worried about exposing the web services to the outsideworld- anyone can "view source" and see exactly how we're calling ourwebservices. Are there any suggestions or guidelines regarding protectingone'ssource from such disclosure? Thanks in advance! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified athttps://www.hushtools.com/verifyVersion: Hush 3.0wpwEAQECAAYFAkvi93MACgkQi04xwClgpZjfcgP/d0S5hyRlsAypsOue6A6HVLMpvTX TS3LyNJGpmoMcKAVRldWuIz5kP3dQ3BIHJEEdC1qKLwtSOEgAlxM/1XkMR7zhi4qJUzp 0a2LisyC8k2xgWIYSfmiqG//tDWzME4EeYHZiGo0iK0fDPLLSwnad9+aeEdRdNI2vmfI cN6eQJeo= =4zuK -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerpr int=on http://pastebin.com/f6fd606da
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkvjA5AACgkQi04xwClgpZhv5QP9HcdmzyQZwYcvEtMbAWWBytvRpw6d mKENP9+wWTQphXcWoaQaf1cbKwnISfCkbzSvF1pKV61QyDLDlxocYQ5sNvAjthW2yHkS N8Kq7Bod0jpfl1CZcZy3RCs3Fju+DQPBvhCJ56wGAwhzBtPvHerSGXFx3dVPYIxV9Cfb Qu/5NV8= =Ixct -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: JavaScript exploits via source code disclosure, (continued)
- Re: JavaScript exploits via source code disclosure PsychoBilly (May 06)
- Re: JavaScript exploits via source code disclosure Marsh Ray (May 06)
- Re: JavaScript exploits via source code disclosure PsychoBilly (May 06)
- Re: JavaScript exploits via source code disclosure Marsh Ray (May 06)
- Re: JavaScript exploits via source code disclosure Christian Sciberras (May 06)
- Re: JavaScript exploits via source code disclosure Nick FitzGerald (May 06)
- Re: JavaScript exploits via source code disclosure Christian Sciberras (May 06)
- Re: JavaScript exploits via source code disclosure PsychoBilly (May 06)
- Re: JavaScript exploits via source code disclosure T Biehn (May 06)