Security


Thursday, April 5th, 2007

Protecting a JavaScript Service

Category: Articles, Security

There is increasing buzz over security with JavaScript, and people are stepping up to the plate. In How to Protect a JSON or Javascript Service, Joe Walker looks at a few solutions such as: Use a Secret in the Request Force pre-eval() Processing Force POST requests Joe implements some of these in DWR, including: Prefix Read the rest…

Posted by Dion Almaer at 8:37 am
5 Comments

+++--
3.5 rating from 31 votes

Tuesday, April 3rd, 2007

Towards Secure Ajax Mashups

Category: JSON, Remoting, Security

Ajax pioneer Brent Ashley has written a Developerworks article about making Ajax mashup secure. It looks at where it’s at today and where it’s all headed. He begins by surveying current techniques for calling external servers, such as the popular On-Demand Javascript technique. This has well-known security issues. The scalability benefit of the <script> tag Read the rest…

Posted by Michael Mahemoff at 6:27 pm
2 Comments

+++--
3.2 rating from 18 votes

Friday, March 30th, 2007

Clipperz Crypto Library and Online Password Manager

Category: JavaScript, Library, Security

Clipperz is an online password system that contains a JavaScript library to provide web developers with an extensive and efficient set of cryptographic functions. It is released under a BSD license. Clipperz include portions of code from few third party libraries, such as: MochiKit, YUI and Ext to allows smoother and quicker coding. In order Read the rest…

Posted by Dion Almaer at 7:47 am
Comment here

+++--
3.3 rating from 27 votes

Friday, March 23rd, 2007

Operator overloading in Javascript 2 and a potential monster CSRF hole

Category: Editorial, Security

Joe Walker is thinking about security again, and is worried about Operator overloading in Javascript 2 and a potential monster CSRF hole. In question is the proposal of operator overloading in JavaScript 2 that could allow someone to override <, > and / to do some evil things. < View plain text > javascript <script Read the rest…

Posted by Dion Almaer at 7:37 am
8 Comments

+++--
3 rating from 29 votes

Tuesday, March 6th, 2007

The safety of JSON

Category: JSON, Security

Joe Walker is talking about the safety of JSON. He has talked about CSRF in the past, and this time he delves into the Array/JSON hack: Here’s how it works, and you can follow along with any JavaScript console: Redefine the Array constructor: function Array() { alert(“hi”); } Verify that this constructor is called when Read the rest…

Posted by Dion Almaer at 12:01 am
24 Comments

++++-
4.3 rating from 29 votes

Thursday, February 8th, 2007

CSRF Protection Idea

Category: Security

Joe Walker has an idea for CSRF protection. Will it work? There are several ways to forge a request in a CSRF attack: iframe, script tag, image tag, scripted window.open() etc. As far as I know XHR is not one of these, because cross-domain rules kick in before the request is sent and not when Read the rest…

Posted by Dion Almaer at 10:00 am
9 Comments

+++--
3.1 rating from 28 votes

Friday, February 2nd, 2007

Making your web applications more secure:

Category: Security

Nadav Samet has written a simple article explaining various security attacks called Prepare for Attack!—Making Your Web Applications More Secure. It explains in simple terms, with simple code examples: SQL Injection Attacks XSRF: Cross-Site Request Forgery XSS: Cross-Site Scripting XSRF: Stealing Information with Scriptaculous < View plain text > HTML <script src="http://www.tgbank.com/monthly_statement.js" type="text/javascript"></script> <script type="text/javascript"> Read the rest…

Posted by Dion Almaer at 2:05 am
8 Comments

+++--
3.8 rating from 26 votes

Tuesday, January 9th, 2007

PassPack and aSSL

Category: Security

Francesco Sullo’s day job is to work on PassPack an online password manager. PassPack is based on the Host-Proof Hosting Ajax Pattern. How it works PassPack uses a double access technique: User ID and Pass give a user access to her Account, while the Packing Key is needed to access the actual passwords. The “Pack” Read the rest…

Posted by Dion Almaer at 9:52 am
6 Comments

++++-
4.1 rating from 25 votes

Monday, December 18th, 2006

aSSL – Ajax Secure Service Layer

Category: Security, Utility

Francesco Sullo has created aSSL: Ajax Secure Service Layer an open source library built to substitute the need for SSL in Ajax applications. First a random 128-bit key is negotiated with the server, then, once the connection is established, data is exchanged using BlockTEA. The most recent version of aSSL (v1.1) implements what Francesco calls Read the rest…

Posted by Dion Almaer at 6:47 am
19 Comments

+++--
3.6 rating from 26 votes

Sunday, December 3rd, 2006

Does AJAX cause a larger “Attack Surface”? No.

Category: Articles, Security

What Hat Security digs deep into the mess of “Ajax is insecure” hype with their article on Myth-Busting AJAX (In)security. They discuss: Does AJAX cause a larger “Attack Surface”? No. Does AJAX make the “Attack Surface” harder to find? Yes and No. Can AJAX cause “Denial of Service”? Not really. Does AJAX rely on client-side Read the rest…

Posted by Dion Almaer at 9:59 am
Comment here

+++--
3.6 rating from 17 votes

Wednesday, November 29th, 2006

Passlet: Ajax password manager with AES client-side encryption

Category: Security, Showcase

Passlet is a new Ajax password manager that does all encryption/decryption on the client side. Passlet uses the industry-standard key derivation function PBKDF2 (c.f. RFC 2898) to derive a 128-bit AES key from the master password. Here is the Password-Based Key Derivation Function 2 (PBKDF2) JavaScript implementation. Agatra (covered earlier) offers similar functionality, but Passlet Read the rest…

Posted by Dion Almaer at 8:37 am
9 Comments

++++-
4 rating from 25 votes

Thursday, November 16th, 2006

Popup Nightmare 2.0?

Category: Advertising, Security

Nat Torkington on the O’Reilly Radar recently commented on the rise of “floats” (AKA “divdows”, “Ajax dialogs”). One of the really big issues facing us, IMHO, is the new Javascript-driven ad technology called “floats”. They’re not separate windows popped up, they’re in-window divs that move up to obscure the web page and force the user Read the rest…

Posted by Michael Mahemoff at 5:34 pm
22 Comments

+++--
3.5 rating from 78 votes

Tuesday, November 7th, 2006

Ajax and Security – Discuss

Category: Books, Editorial, Remoting, Security, Testing, The Ajax Experience

Often when you hear discussions regarding Ajax and security, its said that the issues remain the same as they were ten years ago: don’t trust user input, don’t expose sensitive data without encryption, code for security from day one, never display system errors messages, etc. While that is all true and good, one thing I Read the rest…

Posted by Rob Sanheim at 8:00 am
9 Comments

+++--
3.4 rating from 41 votes

Saturday, November 4th, 2006

Capturing users info via auto-form fill and Ajax

Category: Security

Convenience is a great thing, but sometimes the most convenient action isn’t always the best. Being able to eat mangos and bananas in the middle of winter up north is great for the consumer, but maybe not for the environment. Form auto fill plugins and builtins offer the convenience of not having to type your Read the rest…

Posted by Dion Almaer at 8:52 am
6 Comments

+++--
3.3 rating from 32 votes

Tuesday, October 17th, 2006

Using Applets to Play Outside of the Sandbox

Category: Security

Imaging Experts has a solution to allow you to get out of the sandbox via signed applets the right way. The problem they ran into was that they were getting the following message when trying to write to a file, even with a signed applet: java.security.AccessControlException: access denied (java.io.FilePermission C:\images\img1.tif read) at java.security.AccessControlContext.checkPermission(Unknown Source) at Read the rest…

Posted by Dion Almaer at 7:48 am
5 Comments

+++--
3.4 rating from 11 votes

Thursday, August 24th, 2006

I Know Where You’ve Been…

Category: JavaScript, Security

Jeremiah Grossman writes in with a downright spooky blog posting: I updated the blog template to display some proof-of-concept browser history stealing JavaScript code. On the right side column notice the “I know where you’ve been” heading. Below that, if your using Firefox, Mozilla, Netscape or Safari, you should see a bunch of links to Read the rest…

Posted by Ben Galbraith at 2:27 pm
8 Comments

+++--
3.9 rating from 17 votes