Robert Hurlbut's Blog

Thoughts on .NET, Security, Architecture, Agility, and Databases.

This Blog

Syndication

Search

Navigation

.NET User Groups in New England

Blogs - .NET

Blogs - Agile

Sam Gentile

Blogs - Architecture

Blogs - CLR

Blogs - Security

Blogs - SQL Server

Blogs - System.Transactions

Enterprise Services (COM+) Resources

A Roadmap to EnterpriseServices

Indigo Resources

WinFx Beta 1 RC SDK

Microsoft Security Resources

Presentation resources

Recommended Books

Rotor Resources

Security Resources

Watch for Javascript Hijacking in your AJAX applications

Over the weekend at the New England Code Camp 7 conference, I mentioned briefly about some of the potential security problems with AJAX. Dana Epp has a post about the new class of attack vectors using Javascript Hijacking against AJAX, and ultimately, ATLAS, applications. He points to a research paper by Fortify Software that details the vulnerabilities, how the attacks could be performed, and ways to mitigate against them.

Be sure to read Dana's post and read the research paper. Consider Dana's post and warning to make mitigating against this type of threat as part of your own company's threat model process.

Published Wednesday, April 04, 2007 11:32 AM by RHurlbut

Filed under: ASP.NET, .NET, Security, Architecture/Patterns

Comments

# re: Watch for Javascript Hijacking in your AJAX applications@ Wednesday, April 04, 2007 3:01 PM

I just posted a blog post with more details on this, and how ASP.NET AJAX 1.0 avoids these attacks.

You can read it here: http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx

Thanks,

Scott

by ScottGu