I haven't read it, but saw some similar stuff on Ajaxian the other day while catching up on my blog reading:
http://ajaxian.com/archives/protecting-a-javascript-service
http://ajaxian.com/archives/towards-secure-ajax-mashups
http://ajaxian.com/archives/operator-overloading-in-javascript-2-and- a-potential-monster-csrf-hole
http://ajaxian.com/archives/the-safety-of-json

just security in general:
http://ajaxian.com/by/topic/security/

Some good reads in there.

-warner

On Apr 7, 2007, at 12:59 AM, Chad Woolley wrote:

What are the details of this exploit?  They are light on details other
than usage stats for "Web 2.0".  I guess they want you to buy their
software to find out more...

If we are talking about http (vs https), if you log in your user
normally and use session cookies to maintain a session, I don't see
how an Ajax/Ajaj app would be more vulnerable than a regular app.  If
somebody sniffs or steals your session cookie, you are compromised,
doesn't matter whether it's sent via an XMLHttpRequest or a regular
request.

Than again, I'm no security expert.  What am I missing, other than a
link with more details than this article?

-- Chad

On 4/5/07, William H. Mitchell <[EMAIL PROTECTED]> wrote:
In case you haven't heard...
http://www.fortify.com/news-events/releases/2007/2007-04-02.jsp


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Warner Onstine - Programmer/Author
New book! Tapestry 101 available at http://sourcebeat.com/books/ tapestrylive.html
[EMAIL PROTECTED]
http://warneronstine.com/blog




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to