Wednesday, August 9th, 2006
Category: Ajax, Security
, XmlHttpRequest
Chris Shiflett has posted his look today at cross-domain Ajax requests and some of the security implications that can come with it, especially in a world where more and more developers are beginning to think it’s okay. Since the birth of Ajax (the term, not the technology), there has been an increasing interest in various Read the rest…
Tuesday, August 8th, 2006
Apparently, not all is well in the world of Ajax (who knew?) according to this news story on the USA Today website. In it, they talk about the malicious nature of some Ajax function they’re seeing, and how it’s on the rise. Recent high-profile attacks include June’s Yamanner computer worm, designed to harvest e-mail addresses Read the rest…
Thursday, August 3rd, 2006
Category: Security
CNet has a roundup of the state of play in Web 2.0 security, entitled The security risk in Web 2.0. It recaps recent Yahoo! Mail and MySpace worms and points the finger of blame squarely at Ajax: One of the key enablers of the flashier Web sites is a programming technique known as AJAX, which Read the rest…
Wednesday, August 2nd, 2006
A little over a week ago, we linked to a blog by Sun Ajax guru Greg Murray (creator of jMaki) discussing his small Ajax server-side proxy framework for Java, called (creatively enough) XmlHttpProxy. Greg’s back with a new blog discussing five different options for securing server-side Ajax proxy servers: 1. Token Based Restriction – Limit Read the rest…
Thursday, June 15th, 2006
Category: Articles, Security
, Storage
Corey Benninger of Foundstone has written a paper on Ajax Storage Security (pdf): I wanted to let you know Foundstone has a white paper on their website about AJAX Storage from a security angle. The paper focuses mainly on where Flash shared objects (used in Dojo), and IE persistence user-data, gets stored on the local Read the rest…
Tuesday, May 30th, 2006
On the Pathfinder blog today, there’s a new entry about a new security offering for the Ajax community – Sprajax. Sprajax is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities. Denim Group, an IT consultancy specializing in web application security, recognized that there were no tools available on Read the rest…
Wednesday, April 12th, 2006
Some of you will be familiar with TheDailyWTF.com, a website showcasing code in the wild that is, well, less than professional. A recent forum item illustrates the ultimate Ajax antipattern: uploading arbitrary code to be executed on the server. Gustavo Carvalho discovered what happens when XMLHttpRequest and the Eval() function in PHP are combined. I’ll Read the rest…
Wednesday, April 5th, 2006
Ajax security is on everyone’s minds these days, whether it’s just a simple internal application or a large, public-facing hulking app. Worrying about the security of your project is never a bad thing, and to try to help direct your thoughts in the right direction, I wanted to share this post on Darknet.org.uk that asks Read the rest…
Tuesday, February 7th, 2006
Category: Ajax, Security
, XmlHttpRequest
On SearchWebServices.com, there’s an interview with Eric Pascarello, co-author of the book “Ajax in Action” concerning some of the security issues that surround Ajax and how to address them. In this interview he talks about Ajax security issues, the need for server-side validation and the Ajax worm released last October on MySpace.com They start at Read the rest…
As a part of the upcoming version of the Open Web Application Security Guide project, Andrew Van Der Stock has posted his slides of a presentation he did as a preview of the “Ajax chapter” for the new guide (version 2.1). The slides can be downloaded in PDF form here (1.8MB) and you can signup Read the rest…
Thursday, January 5th, 2006
Agatra is a new service for managing all your passwords. Based on your Agatra master password, it will maintain a list of logins and passwords for all your favourite websites. It’s more than a memory tool, because Agatra’s list of sites will actually launch the links – in most cases, you can login automatically from Read the rest…
Saturday, December 31st, 2005
Category: Security
Eric Pascarello suggests another risk of running Javascript from another domain: Using Javascript to fake a login page. Spoofing of a web page to get your information is so common. I see in my inbox that your —(insert bank, shopping site, etc) account is going to be removed if you do not verify your information. Read the rest…
Wednesday, December 21st, 2005
Category: Security
Wael Chatila has published the final of a three-part series exploring Ajax Security. The articles have covered: Using mouse gestures as passwords. Checking if keystrokes seem humanly. An Ajax CAPTCHA system. Each photo has several attributes, so “Animal, Costume, Boy” means a photo containing an Animal, Costume, and Boy. The list contains several descriptions like Read the rest…
Thursday, December 15th, 2005
Category: Programming, Remoting
, Security
Simon Willison, now at Yahoo!, reports that Yahoo! has JSONified itsAPI: As of today, JSON is supported as an alternative output format for nearly all of Yahoo!’s Web Service APIs. This is a Really Big Deal, because it makes Yahoo!’s APIs available to JavaScript running anywhere on the web without any of the normal problems Read the rest…
Friday, November 25th, 2005
Category: Security
It was great to see browser developers getting together to take on security: Core KDE developer George Staikos recently hosted a meeting of the security developers from the leading web browsers. The aim was to come up with future plans to combat the security risks posed by phishing, ageing encryption ciphers and inconsistent SSL Certificate Read the rest…
Thursday, November 24th, 2005
Category: Security
Joe Walker has joined a discussion on Cross Domain XHR. He talks about the areas of concern: Resource Theft: Resource theft can happen when Jack Innocent visits the website of Evil Bob. Evil Bob has written some XHR code that repeatedly requests compute expensive pages from the site of Victim Inc. Thus Evil Bob gets Read the rest…
Caching and dynamic views
My client does not want to change his cache settings on IE and I'm trying to figure out a way to dynamically update a view each time it is visited. I...
IE 8 Crashing Problem
Hello Everyone,
Here\'s the situation:
two iSeries boxes - Dev and Prod both V5R4M0
We\'re using AJAX to dynamically load content using a tabbed...
JQuery Function Not Defined?
[div]Hi there,[/div]
[div][/div]
[div]I\'m trying to set a php session variable from a radio button. The idea is that a jquery function is called...
In Episode 25, we chat about IE 8, standards, Acid3, server side JavaScript, and more.
Who are the ajaxians? Find out.
Please contact us at . We would love to hear about any news that we could put up here.
We have individual blogs too:
