My user name was created way before i got all that smart:)
Anyway, to answer your question, if you're using XML as your data transport format (just like Rico and xajax frameworks do), then you're safe from JavaScript Hijacking: XML is not valid JavaScript, so it will not be correctly eval()-ed.
Well, Fortify Software Security Research Group (which I am part of) has recently released a report ( http://it.slashdot.org/article.pl?sid=07/04/02/111 3242 ), where we discuss the new type of vulnerability we named JavaScript Hijacking.
We believe that JavaScript Hijacking is the only type of vulnerability found so far applicable only to Ajax applications. We've also analyzed 12 most widely used Ajax frameworks (DWR, GWT, Microsoft "Atlas", xajax, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo! UI, Rico, and MochiKit) and determined that all the frameworks that use JSON and/or JavaScript for transferring data (except for DWR 2.0 which was not released at the time) are vulnerable to JavaScript Hijacking.
To summarize, the vulnerability allows an unauthorized party to read confidential data contained in JavaScript messages. The attack works by using a tag to circumvent the Same Origin Policy enforced by Web browsers. Traditional Web applications are not vulnerable because they do not use JavaScript as a data transport mechanism.
i find it extremely funny that most of the posts, in fact, all of the ones i've read, come from the gamers, an none -- from the significant others the posts refer to
you will probably say that that's because SO's aren't geeks and don't read slashdot
well, you might be right, however then you're implying that the concepts of "geek" and "gamer" are being equated
can i not be a geek if i am not a gamer?
but, i'm getting slightly off topic...
i am that significant other who had to deal with the boyfriend-gamer...we went through many stages in our relationship (with respect to videogames): when i did not care at first, when it went way over the limits because every possible free-from-classes-and-work moment was dedicated to gaming, when we were on the edge of breaking up, when he stopped playing completely because he was afraid of ruining the relationship (i guess), to me pre-ordering Half Life 2 for his birthday
i don't know if i am ready to deal with the gaming issue completely: i don't care right now, but maybe i will later
i am afraid it will get out-of-hand as it once did
my major issue with gaming is how unreal and impersonal it seems to be...the most i could ever handle playing is tetris, for about 10 minutes, and then i would just get sick of it
and because i value personal interactions so much, i get very upset when my SO does not seem to do that as much as i do
i have high standards, and he knows about it
so, i was very glad that there are still gamers who, through getting to know their SOs better, start to value personal interactions over the "unreal" ones
so, you wan to have the same reputation as microsoft? heh... well, if that's what you want...
unfortunately, most of the companies do not have as much money as microsoft does, and thus have to spend it wisely
the wise thing to do would be to spend it on incorporating security into your product at the development stage rather than spending MORE money on successive patches
plus, as i already said, adding security later is like debugging badly written code -- sometimes it's just better to start over
i think people are missing the point, and the point is: we need to write better software in the first place -- test it well BEFORE releasing it, not relying on the fact that we can release a patch later, after the bug is found by someone
i mean, if we only rely on someone finding the bug after the release and reporting it, we are in big trouble...who said that all the bugs found have been reported?
additionally, security is not something that can be fixed after the product is designed -- security is just as big of a part of the product design as is the product's functionality
thinking about software security during the design stage will prevent many bugs from being implemented, missed during testing, and then exploited...it will also save us from the necessity of patches
The fact that there is no DMCA in Russia should not be the reason why Dmitri must be freed -- this is no excuse...The question is extremely controversial: on one hand, he is the one who broke the law, on the other (as the Elcomsoft direcor mentions), Adobe broke the so-called 'consumers' rights' law...But now let us look at the situation from aside: Dmitri goes to the United States to give his speech knowing about the DMCA and all the possible consequences (I wouldn't believe that he knew nothing about it)...I don't think that he is so stupid as to just do something like that without having something else on his mind...The idea about Tobin sounds about right, but who knows?...
computers are cool as long as we know how to use them and why to use them...they open new ways of learning (internet) and help develop certain skills, such as logic and all that...but, video games addicts are rather pathetic...admit that...
--
well, i agree that everything depends on the individual -- one is more mature than another, and this is a reasonable thing that should be taken into consideration, however, i believe that the more you try to CONTROL a kid/teenager/anyone in fact, the more they want to be free and independent from you...my parents always trusted me, and therefore i don't have any reason not to trust them, and i feel responsible for being trusted by them...however, they never intruded into my private life -- their philosophy is: you don't have to share, but if you do, we will always be there for you...i think this is the important part...being interested in what is going on in your kid's life is different from controlling it...
Slashdot Mirror
My user name was created way before i got all that smart :)
Anyway, to answer your question, if you're using XML as your data transport format (just like Rico and xajax frameworks do), then you're safe from JavaScript Hijacking: XML is not valid JavaScript, so it will not be correctly eval()-ed.
Well, Fortify Software Security Research Group (which I am part of) has recently released a report ( http://it.slashdot.org/article.pl?sid=07/04/02/111 3242 ), where we discuss the new type of vulnerability we named JavaScript Hijacking.
p ublic/JavaScript_Hijacking.pdf .
e leased ) have been recently released, and do contain fixes that prevent JavaScript Hijacking.
We believe that JavaScript Hijacking is the only type of vulnerability found so far applicable only to Ajax applications. We've also analyzed 12 most widely used Ajax frameworks (DWR, GWT, Microsoft "Atlas", xajax, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo! UI, Rico, and MochiKit) and determined that all the frameworks that use JSON and/or JavaScript for transferring data (except for DWR 2.0 which was not released at the time) are vulnerable to JavaScript Hijacking.
To summarize, the vulnerability allows an unauthorized party to read confidential data contained in JavaScript messages. The attack works by using a tag to circumvent the Same Origin Policy enforced by Web browsers. Traditional Web applications are not vulnerable because they do not use JavaScript as a data transport mechanism.
Complete report is available here: http://www.fortifysoftware.com/servlet/downloads/
As a side note, DWR 2.0 ( http://getahead.org/dwr/ ) and Prototype 1.5.1 ( http://prototypejs.org/2007/5/1/prototype-1-5-1-r
i find it extremely funny that most of the posts, in fact, all of the ones i've read, come from the gamers, an none -- from the significant others the posts refer to
you will probably say that that's because SO's aren't geeks and don't read slashdot
well, you might be right, however then you're implying that the concepts of "geek" and "gamer" are being equated
can i not be a geek if i am not a gamer?
but, i'm getting slightly off topic...
i am that significant other who had to deal with the boyfriend-gamer...we went through many stages in our relationship (with respect to videogames): when i did not care at first, when it went way over the limits because every possible free-from-classes-and-work moment was dedicated to gaming, when we were on the edge of breaking up, when he stopped playing completely because he was afraid of ruining the relationship (i guess), to me pre-ordering Half Life 2 for his birthday
i don't know if i am ready to deal with the gaming issue completely: i don't care right now, but maybe i will later
i am afraid it will get out-of-hand as it once did
my major issue with gaming is how unreal and impersonal it seems to be...the most i could ever handle playing is tetris, for about 10 minutes, and then i would just get sick of it
and because i value personal interactions so much, i get very upset when my SO does not seem to do that as much as i do
i have high standards, and he knows about it
so, i was very glad that there are still gamers who, through getting to know their SOs better, start to value personal interactions over the "unreal" ones
so, you wan to have the same reputation as microsoft? heh...
well, if that's what you want...
unfortunately, most of the companies do not have as much money as microsoft does, and thus have to spend it wisely
the wise thing to do would be to spend it on incorporating security into your product at the development stage rather than spending MORE money on successive patches
plus, as i already said, adding security later is like debugging badly written code -- sometimes it's just better to start over
i think people are missing the point, and the point is: we need to write better software in the first place -- test it well BEFORE releasing it, not relying on the fact that we can release a patch later, after the bug is found by someone
i mean, if we only rely on someone finding the bug after the release and reporting it, we are in big trouble...who said that all the bugs found have been reported?
additionally, security is not something that can be fixed after the product is designed -- security is just as big of a part of the product design as is the product's functionality
thinking about software security during the design stage will prevent many bugs from being implemented, missed during testing, and then exploited...it will also save us from the necessity of patches
what about static/dynamic analysis techniques/tools?
The fact that there is no DMCA in Russia should not be the reason why Dmitri must be freed -- this is no excuse...The question is extremely controversial: on one hand, he is the one who broke the law, on the other (as the Elcomsoft direcor mentions), Adobe broke the so-called 'consumers' rights' law...But now let us look at the situation from aside: Dmitri goes to the United States to give his speech knowing about the DMCA and all the possible consequences (I wouldn't believe that he knew nothing about it)...I don't think that he is so stupid as to just do something like that without having something else on his mind...The idea about Tobin sounds about right, but who knows?...
computers are cool as long as we know how to use them and why to use them...they open new ways of learning (internet) and help develop certain skills, such as logic and all that...but, video games addicts are rather pathetic...admit that... --
well, i agree that everything depends on the individual -- one is more mature than another, and this is a reasonable thing that should be taken into consideration, however, i believe that the more you try to CONTROL a kid/teenager/anyone in fact, the more they want to be free and independent from you...my parents always trusted me, and therefore i don't have any reason not to trust them, and i feel responsible for being trusted by them...however, they never intruded into my private life -- their philosophy is: you don't have to share, but if you do, we will always be there for you...i think this is the important part...being interested in what is going on in your kid's life is different from controlling it...