Wednesday, February 07, 2007

Evil Javascript: Web 2.0 As A Story To Be Destroyed by Hackers

If you read and absorb no other security-related story this week, you'd be well-advised to read and understand this one.

As Ryan mentions in this article, NoScript rocks as a Firefox plug-in.

Ryan Singel writes on 27B Stroke 6:

The best conference presenters have a story to tell, and this morning, Billy Hoffman -- the lead researcher at Web application security company SPI Dynamics, had a great story to tell Wednesday morning at the RSA security conference about how all your favorite new Web 2.0 applications are a boon to criminals.

Tradtional web applications have an input box that lets you send information to a webserver, which then passes the info to a datab ase or application in the background, and your browser waits for a response and then you are taken to a new page. Websites that use AJAX use a powerful combination of JavaScript and continual communication with the server in background, removing the lag associated with page refreshes and letting sites like Google Maps feel more like desktop applications.

The problem -- as many know is that JavaScript is a very powerful language -- and when developers aren't careful it's possible to insert other JavaScript into a website via a link that lets an attacker do bad things, like delete your account if you click on a link or visit an evil page.

More here.

0 Comments:

Post a Comment

<< Home