Slashdot Mirror

← Back to Stories (view on slashdot.org)

AJAX May Be Considered Harmful

Posted by Zonk on from the web-20-needs-vitamins dept.

87C751 writes "Security lists are abuzz about a presentation from the 23C3 conference, which details a fundamental design flaw in Javascript. The technique, called Prototype Hijacking, allows an attacker to redefine any feature of Javascript. The paper is called 'Subverting AJAX' (pdf), and outlines a possible Web Worm that lives in the very fabric of Web 2.0 and could kill the Web as we know it."

9 of 308 comments (clear)

  1. Greasemonkey? by Mitchell+Mebane · · Score: 1, Interesting

    Isn't this the thing that forced the redesign of Greasemonkey a while back?

    --

    The roots of education are bitter, but the fruit is sweet.
    --Aristotle
  2. Crying "Wolf" by flajann · · Score: 3, Interesting

    Do they ever learn? All of this scaremongering is numbing the uninitiated, and when there is a real threat no one will be prepared.

    Well, my BS meter pings off the scale when I see alarmist claims like "shutting down the web." How many of those claims have we all seen over the past years?

    I suppose it's the 21st-century equivalent of "The World is Comming to an End!"

    I consider that anyone who makes such outlandish claims should be remembered, indexed, marked, and noted. When their claims fails to come true, then we can all stand around and laugh at them and grant them Idiot Awards.

    --
    Ruby Neural Evolution of Augmenting Topologies
  3. Re:Horeshit.....javascript is crap but....horeshit by kirun · · Score: 2, Interesting
    "Javascript is nothing related to Java".
    It didn't use to be (apart from both of them having C-related syntax and Interweb-related hype), but it is now if you're using Firefox. For example, the following works:

    <script> document.write(new java.lang.String("I'm here")); </script>
    They're no fun though, they left out stuff like java.io
    --
    I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
  4. Re:notabug by Myen · · Score: 3, Interesting

    Except that when you visit site B, the browser discards all JS from site A before going to site B. Site B never sees any JS objects from A anyway. Think of the browser-supplied things (e.g. the XMLHttpRequest constructor) as a template; if you modify it you just get a copy of the template for yourself.

    If touching prototypes of built-in objects would persist across sites there simply could not have been more than one JS framework system. And nobody would have had scripting enabled... :)

  5. Re:Horeshit.....javascript is crap but....horeshit by Millenniumman · · Score: 2, Interesting

    I could, code web pages, or whatever in assy if I wanted . What web browser are you using that has a built in assembler?
    --
    Stupidity is like nuclear power, it can be used for good or evil. And you don't want to get any on you.
  6. Re:FUD by bunions · · Score: 4, Interesting

    those 'gigantic problems' aren't problems with Ajax. There exist good solutions for both. The solutions, however, are nontrivial and are typically ignored by developers for whatever reasons.

    --
    there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
  7. Re:FUD by gomoX · · Score: 2, Interesting

    That's just stupid. A well designed AJAX app is faster to use than a regular one. Page reloads suck for applications. Have you seen Google Mail, with embedded Talk client, or maybe Calendar, or even the DHTML beta of slashdot's comments (barely AJAX, but still)? Those kick ass compared to older versions. A well designed AJAX app is great. Most AJAX apps suck, but it's not AJAX fault. And yes, it's sort of a hack. So what? So is every standards compliant site that looks good.

    --
    My english is sow-sow. Sowhat?
  8. Poor design security will always be a flaw by CFD339 · · Score: 2, Interesting

    I'm in the middle of writing a fairly complex application in which the UI is ajax based. The calls to the back end are all done via these ajax calls.

    At the end of the day, I verify the data I accept from the application before storing it. I don't trust anything coming from the client side. Just because it's ajax and I "think" I'm in control of the application doesn't mean that I am.

    Big deal.

    You still can send me options as selected if the options aren't in the list I offered you -- because I check. You can't send me invalid data because I check it for validity. That's my responsibility.

    You can get me to send you something you don't have access to, because the agents that retrieve the data are running under your authority -- not as a system admin. If you don't have access to them, the data won't exist for you.

    Again -- security happens at the back end. The front end is always to be considered hostile.

    --
    The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
  9. re: first post by jimbojw · · Score: 4, Interesting
    You might - if you can find an available XSS vulnerability to use as a vector. TFA assumes this blithely for the sake of demonstration, but it's a big assumption.

    Further, the slashdot summary suggests that Prototyping is a design flaw in JavaScript/ECMAScript. This wrong for two reasons:
    1. The article doesn't mention this.
    2. Prototyping is not a design flaw.
    Prototyping is a very useful language feature that can be used to do all sorts of things that would otherwise be cumbersome or impossible. Ruby is a prototyped language - a feature which is responsible for much of the 'magic' of Rails.

    The article does outline a number of Ajax related vulnerabilities, but like most vulnerabilities, they can be mitigated or avoided entirely if paid attention to - much like the SQL injections of old.

    Arguing that Prototyping or Ajax makes JavaScript unsafe is fud. These are powerful language features that (like any powerful feature) can be used for evil if an injection mechanism is available.