Archive for March, 2008

Ajax vulnerabilities

Wednesday, March 19th, 2008


Ajax vulnerabilities, originally uploaded by Noah Sussman.

This slide is from Danny Alan’s talk on XSS. I’ve read about the various JavaScript remoting attacks, but it was impressive to actually watch him paste a simple script tag into an insecure form, then later (from a remote host) play back the compromised browser’s session, including cookies, keys pressed (including passwords), all the HTML retrieved by the browser, and details about the browser’s history.

Another disturbing thought: JavaScript can talk to the Java VM via an applet. The Java VM knows the NAT address of the host machine on the internal network. If the router password and IP are known (most users leave these set to factory defaults) then JavaScript can fill out and submit any of the Web forms that control the router. So it’s theoretically possibly to compromise a router with JavaScript.

The demo of Ajax XSS attacks and exploits, had the best quote of the day, as well: "Oops! I accidentally hit the Back button and canceled my attack!"

Notes from Ajax World 2008, day 2

Wednesday, March 19th, 2008

Overall the emphasis was on XSS attacks and (the problem of) JavaScript security, proposing a “safe subset” of JavaScript; supported by the “adsafe” option in JSLint. A policy of “cooperation under mutual suspicion.” Other memes included “advertising is a mashup.”

The title of this slide was Vats: Communicating Computational Containment. Crockford said that “vats” are the solution to what he calls “the turducken problem.” That is, there is no way to reliably detect the various perfectly permissible variations of JavaScript-inside-HTML-encodeded-as-a-URL.

Hybrid Cab on Mulberry Street

Monday, March 3rd, 2008


Hybrid cab, originally uploaded by Noah Sussman.

This is the first hybrid cab I have seen in the city. I think it was a Nissan but I’m bad with make-and-models.