mike | Shared With: Everyone - Aug 13 2007 | javascript, security, firefoxJavaScript signed scripts (alternate security model to Same Origin).
- mike | Shared With: Everyone - Sep 04 2008 | javascript, security, rest, api, csrf
I couldn't find a good description on the web about securing REST API's against drive-by requests (unauthorized 3rd party calls when you visit a malicious web site).
Here's what I've pieced together today by examining what del.icio.us is doing to secure it's REST api.
ShareViewed: 4 Times - mike | Shared With: Everyone - Nov 03 2007 | google, opensocial, api, hack, security, javascript
That didn't take long! I wonder if the security holes are in the host or OpenSocial, itself.
Quoted: It didn't take long for someone to hack the first OpenSocial application. In fact, it took just 45 minutes. A developer who goes ...
ShareViewed: 36 Times - mike | Shared With: Everyone - Sep 10 2007 | javascript, apple, cross site, security
Apple's early paper on using IFRAME's to accomplish remote scripting. Could still be useful in some cross-site scripting scenarios.
ShareViewed: 10 Times - mike | Shared With: Everyone - Aug 13 2007 | security, javascript, json, JSONRequest
Proposal to implement a JSONRequest object in every browser. Proposed method supports anonymous sending and reveiving of JSON (no cookies transmitted), and therefor exempts from the same-origin policy of XMLHttpRequest.
ShareViewed: 8 Times - mike | Shared With: Everyone - Jul 08 2007 | digg, javascript, blogs, security
Nice little post (and example) of Session Riding vulnerability.
ShareViewed: 22 Times - mike | Shared With: Everyone - Apr 23 2007 | javascript, security, cross site, dojo
Setting "fragment identifiers" (anchor names) in URL's of IFRAME and it's parent page for use as a cross-site scripting protocol. What a KLUDGE!
ShareViewed: 89 Times - mike | Shared With: Everyone - Apr 22 2007 | javascript, programming, security, web development, ajax, json, csrf
Good reference to a paper on cross-site scripting vulnerabilites is AJAX code.
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
The attack using a hook to capture any event that sets a know property:
function Object()
{
this.email setter = captureObject;
}Note the flame-war between antibozo and kentaromiura in the comments. It actually resolves itself quite amicably in the end.
Quoted: An application can be mashup-friendly or it can be secure, but it cannot be both.
...
Solutions:
o Include a hard-to-guess identifier, such as the session identifier, as part of each request
that will return JavaScript. This defeats cross-site request forgery attacks by allowing the
server to validate the origin of the request.
o Include characters in the response that prevent it from being successfully handed off to a
JavaScript interpreter without modification. This prevents an attacker from using a
<script> tag to witness the execution of the JavaScript.Vulnerable frameworks include: Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo! UI, and MochiKit.
ShareViewed: 20 Times - mike | Shared With: Everyone - Jan 01 2007 | google, gmail, json, javascript, security, web services
JSON security flaw in GMail (now fixed).
ShareViewed: 9 Times - mike | Shared With: Everyone - Jan 20 2006 | javascript, cross-site, security
This was a document for a Dec 20th vulnerability - presumably different from the one publicized on Jan 20?
ShareViewed: 3 Times
Send Mike a friend request or a personal message instead.