Secure Coding mailing list archives

How can we stop the spreading insecure coding examples at training classes, etc.?

From: pmeunier at purdue.edu (pmeunier at purdue.edu)
Date: Mon, 28 Aug 2006 16:40:45 -0400

Quoting "Wall, Kevin" <Kevin.Wall at qwest.com>:

(clip)

At another point, while Atlas JavaScript gadgets was being demoed,
someone asked if one could use XMLHttpRequest (XHR) to invoke
_any_ URL. The speaker correctly answered "no; only back to the
originating host:port from where the JavaScript was downloaded
from". The questioner then remarked something like "oh, that's too
bad". But instead of explaining why allowing cross-domain requests
is inherently a BAD Thing, the speaker replied "oh, don't worry;
we also provide you with some software [apparently a proxy of
sorts -kww] that Microsoft wrote that you can put on your web
server so your users can call out to any URL that they wish,
so it's not limited to calling just pages on your own site."
"Great, I thought. Why don't you also provide some mechanisms to
automatically insert random XSS and SQL injection vulnerabilities
into your code too." Sigh.

<snip>

Kevin,
   Thanks, I almost fell out of my chair laughing.  It reminds me of their
"SOAP" idea to bypass those pesky firewalls.  Apple also finds that security
measure "unfortunate" without an explanation of the underlying security reasons:

"Second, the domain of the URL request destination must be the same as the one
that serves up the page containing the script. This means, unfortunately, that
client-side scripts cannot fetch web service data from other sources..."
(http://developer.apple.com/internet/webcontent/xmlhttpreq.html)

But neverfear, tell your users who use Firefox to install the Greasemonkey
extension, and hop, you can bypass this security nuisance 
(http://blog.monstuff.com/archives/000262.html  -- though this entry points out
it should be used only for development purposes and otherwise a bad idea).  IE
users just have to click OK in the "confirmation" dialog box that pops up.

I hate JavaScript because it makes me feel so much at the mercy of web
developers, who sometimes require it just to emulate an <A> link or a submit
button...  

Pascal

Current thread:

How can we stop the spreading insecure coding examples at training classes, etc.? Wall, Kevin (Aug 27)
- How can we stop the spreading insecure coding examples at training classes, etc.? pmeunier at purdue.edu (Aug 28)
- How can we stop the spreading insecure coding examples at training classes, etc.? pmeunier at purdue.edu (Aug 29)
- How can we stop the spreading insecure coding examples attraining classes, etc.? Tim Hollebeek (Aug 30)
- CERT C Programming Language Secure Coding Standard Robert C. Seacord (Aug 31)