JSON Hijacking and the National Enquirer

by JoeStagner 4/4/2007 12:39:39 PM

A couple of days ago eWeek posted a panic attack here http://www.eweek.com/article2/0,1895,2110554,00.asp?kc=EWEWEMNL040307EP37A that sensationalized a paper that Fortify published here: http://www.fortifysoftware.com/advisory.jsp

I posted a link to the article yesterday – sort of tung in cheek, but decided to wait until I could refer to more information because folks might not intuit my point.

So let me offer this subtle hint: THERE IS NOTHING NEW HERE !

Security companies market themselves by generating press about their research – fair enough.

Tech Media Companies like eWeek naturally sensationalize to keep their readership flowing (the National Enquirer model of Journalism).

Now, it’s not like I don’t take developer security seriously. I spent about 4 of the past 6 years focused mostly on developer security.

But it’s time we fix the perspective a but. Fortify wants to identify the AJAX venders as the source of these security problems. (And not just Microsoft but basically everyone that makes Ajax Software.)

It’s great that security companies are looking at the rapid adoption of Ajax and calling attention to security issues. But, at the risk of sounding redundant …

THERE IS NOTHING NEW HERE !

HTTP & JavaScript have not changed. The possible programming mistakes have not changed. The defensive development practices that mitigate these risks have not changed. Just some of the buzzwords have been added.

ScottGu has replied here to some of the specific call outs in the above referenced article : http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx

Since it seems like there are still a good number of developers that are not yet up to speed on Web Development security and are particularly interested in how these security challenges relate to doing Ajax style programming…….

I’ve been talking to my old security buddy Mark Brown about resurrecting the “Digital Black Belt” Secure Development Series to do an extended “Developing Secure Web Applications with ASP.NET and Microsoft Ajax”.

Please offer your opinions so that I can gage interest.

Joe

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (3) | Post RSSRSS comment feed

Related posts

Comments

4/4/2007 1:32:23 PM

I would like to see more security oriented posts. While HTTP and JavaScript have not changed the way they are wrapped in all these frameworks makes them feel as if they have. There is such a “declarative” push and tools to make things “easy” that it’s pretty easy to just drag, drop and be done. The other thing I see is that most of the “How To’s” are just getting a feature point across and skip of the other 80% of code that is needed for error trapping and validation/security.

BTW the Spy Dynamics series was great! I can’t wait to pick up the book.

craig

4/8/2007 4:14:07 PM

When AJAX (the term, not really the technology) first came about, I thought about the many useful things that could be accomplished as the technology is cultivated by client and server s/w vendors. Today, many vendors have put their names behind the term & technology, in effort to empower developers and increase their own bottom line at the same time. So far, with the latest security exploit on AJAX, I've been reading reactions that range from "It's not my fault" to "It's nothing new" to "It's not that bad" etc. As a developer, I would like to see more guidance and efforts to mitigate security lapses by the AJAX libraries since I'm sure the vendors actually want us to utilise the technology properly, preferably through their libraries.

Microsoft has gone some way to explain the situation, which I am thankful. Maybe there should be a place to learn about AJAX patterns (I know Yahoo has started it) from a security perspective. Repeated assurances should be given by Microsoft that using AJAX extensions declaratively would not render the client victim of known exploits.

Alvin

4/9/2007 6:25:53 PM

I haven't seen documentation about ajax security issues. Do it.

John

Powered by BlogEngine.NET 1.3.0.0
Theme by Mads Kristensen

About your host.

Name of author Joe Stagner
?????

E-mail me Send mail

Calendar

<<  September 2008  >>
MoTuWeThFrSaSu
25262728293031
1234567
891011121314
15161718192021
22232425262728
293012345

View posts in large calendar

Pages

Recent posts

Recent comments

Archive

Authors

Categories


Blogroll

Download OPML file OPML

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

© Copyright 2008

Sign in