javascript also as the SOP (same origin policy)
On Apr 3, 7:23 am, "Erik Beeson" <[EMAIL PROTECTED]> wrote:
> Agreed. This comes up every few months. In this case, it looks like
> they're talking about JSON data being readable from any host. I guess
> they mean if you're getting data via the remote script tag and
> callback technique, other sites could do the same thing and access
> your data? Seems like a pretty poor way for a legitimate site to work.
>
> IMHO, the fact that forms can be submitted via javascript (no ajax
> involved) is a much bigger issue, but if you design correctly, it
> isn't a problem.
>
> Regardless, this thread will likely get huge :)
>
> --Erik
>
> On 4/2/07, Karl Rudd <[EMAIL PROTECTED]> wrote:
>
>
>
> > Bah, it's not a new vulnerability, it's always been there and always
> > been known about.
>
> > I call FUD on this.
>
> > The following is an excerpt that is the keystone of the whole thing:
>
> > "In an example attack, a victim who has already authenticated
> > themselves to an Ajax application, and has the login cookie in their
> > browser, is persuaded to visit the attacker's web site. This web site
> > contains JavaScript code that makes calls to the Ajax app. Data
> > received from the app is sent to the attacker."
>
> > Firstly _don't visit suspect sites_.
>
> > Secondly their "example attack" is flawed. As far as I'm aware
> > JavaScript code on one page does not have access to the cookies of
> > other webpages. If it does it's a security flaw in the browser,
> > nothing a JavaScript library can do about it.
>
> > Karl Rudd
>
> > On 4/3/07, Kush Murod <[EMAIL PROTECTED]> wrote:
>
> > > Hi guys,
>
> > > Article below says all big JS Libraries are vulnerable including JQuery
> > > I didn't quite understand the article, but was hoping for some feedback
> > > on it
>
> > >http://www.cbronline.com/article_news.asp?guid=484BC88B-630F-4E74-94E...
>
> > > Cheers,
>
> > > --
> > > Kush Murod, Web applications developer
> > > Sensory Networks
> > > [E] [EMAIL PROTECTED]
> > > [W]www.sensorynetworks.com
> > > [T] +61 2 8302 2745
> > > [F] +61 2 9475 0316
> > > [A] Level 6, 140 William Street East Sydney 2011
