Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web 2.0 Under Siege

Posted by Hemos on from the in-dark-territory dept.

Robert writes "Security researchers have found what they say is an entirely new kind of web-based attack, and it only targets the Ajax applications so beloved of the 'Web 2.0' movement. Fortify Software, which said it discovered the new class of vulnerability and has named it 'JavaScript hijacking', said that almost all the major Ajax toolkits have been found vulnerable. 'JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups'"

10 of 170 comments (clear)

  1. Vocabulary Fix by Nerdfest · · Score: 3, Funny

    Sadly, this is likely to do very little to stop the use of the word 'mashups'.

    1. Re:Vocabulary Fix by MikeFats · · Score: 3, Funny

      You're right - who doesn't yearn for the good old Pine and Gopher days? I spit on you AJAX and Web 2.0.

  2. quick! by mastershake_phd · · Score: 5, Funny

    Upgrade to Web 3.0, quick!

    --
    Libertarian Leaning Political Discussion Forum.
  3. Mashups? by Rob+T+Firefly · · Score: 5, Funny

    'JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups'
    So back when I made the Beastie Boys rap over the Macarena tune, I was really hacking the Web 2.0? And here I thought I was just assaulting eardrums and good taste...
    --
    Slashdot Burying Stories About Slashdot Media Owned
  4. Does this mean... by zappepcs · · Score: 2, Funny

    that we can sue Morfik? /sarcasm

    --
    Support NYCountryLawyer RIAA vs People
  5. Easy Fix by Anonymous Coward · · Score: 2, Funny

    Just serve up an animated cursor before any XML handshakes. This will stop the attackers from exploiting the AJAX piece.

  6. The Biggest WTF... by Sam+Legend · · Score: 5, Funny

    The biggest WTF is that somebody is still using javascript. Oops. Wrong site...
    (Captcha: backtotheweb1.0)

  7. Re:They discovered this? by borkus · · Score: 2, Funny

    I return pain text I so want to return pain text to certain users.

    if text_body == ALL_CAPS
            return PAIN_TEXT
  8. Re:XSS by Bogtha · · Score: 2, Funny

    Here. For future reference:

    1. Throw the words "Fortify Software" at Google.
    2. Click on the first link.
    3. Click on the prominent link in the middle of their home page.

    It's really not that hard to find details. All you really need is the ability to operate a web browser, a search engine, and about thirty seconds of your time.

    --
    Bogtha Bogtha Bogtha
  9. Re:Executing 3rd party code by default is insecure by nuzak · · Score: 2, Funny

    > Like building a submarine out of swiss cheese.

    I suspect a submarine built out of a nice solid gruyere would probably not be terribly seaworthy either. When it comes to the structural integrity of hull materials, cheese tends to rank pretty low.

    --
    Done with slashdot, done with nerds, getting a life.