Ajax Security Basics

SecuirtyFocus has a decent article entitled Ajax Security Basics. A sample: A second challenge relates to the difficulty involved in securing the increased attack surface. Ajax inevitably increases the overall complexity of the system. In the process of adopting Ajax,...
Read More

Exploiting the Google App Ecosystem

A number of readers have noted that XMLHttpRequest can only communicate back to the same host that served up a page. This is true. We've all played around with XMLHttpRequest to see if we could make it break. Barring browser...
Read More

Another Worm, This Time on Myspace

Over at Simple Thoughts, they disect a Flash/AJAX worm that has been laying waste to MySpace. The unnamed worm isn't malicious but the Shockwave Flash (.swf) file containing the payload embeds JavaScript into the profile of any MySpace user who...
Read More

Bogus Firefox XMLHttpRequest Security Bug Report?

Not sure if this is a real security issue or not or if the folks at Zabbey are just getting all bent out of shape about nothing. While developing Zlap I accidentally ran my test HTML file from my local...
Read More

The Hazards of Exposing Business Logic on the Client

Via Ajaxian we get an object lesson in the dangers of exposing business logic in the browser: Beau Hartshorne of Snipshot (formerly Pixoh) says "massive chunks" of Cellsea code are identical to Snipshot. "This is not an accidental inspiration. Check...
Read More

Security – Yamanner Worm Hits Yahoo Mail (Not!)

Update 3: Eric Pascarello has a brief blog entry describing the mechanisms by which the worm works. If you'd like to look at a defanged version of the code, it is here. Update 2: I'll save you reading all the...
Read More

Sprajax? Security Scanner for AJAX

I came across an open source AJAX security scanner called Sprajax. From the Denim Group's press release: Sprajax is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities. Denim Group, an IT consultancy specializing...
Read More

AJAX and Security

Lots of articles like this one from eWeek broach the subject of AJAX and security but give few answers. The most insightful quote from the article is from the Dojo man: Panelist Alex Russell, co-founder and project lead for The...
Read More

Stomping out the Misconceptions

A reader pointed out this blog entry from Infoworld, Mercury: AJAX has its drawbacks. It's from the middle of April, but it is still worth responding. "AJAX is incredible where people are starting to adopt it and it immediately causes...
Read More