AJAX May Be Considered Harmful 308
87C751 writes "Security lists are abuzz about a presentation from the 23C3 conference, which details a fundamental design flaw in Javascript. The technique, called Prototype Hijacking, allows an attacker to redefine any feature of Javascript. The paper is called 'Subverting AJAX' (pdf), and outlines a possible Web Worm that lives in the very fabric of Web 2.0 and could kill the Web as we know it."
Greasemonkey? (Score:2, Interesting)
Crying "Wolf" (Score:3, Interesting)
Do they ever learn? All of this scaremongering is numbing the uninitiated, and when there is a real threat no one will be prepared.
Well, my BS meter pings off the scale when I see alarmist claims like "shutting down the web." How many of those claims have we all seen over the past years?
I suppose it's the 21st-century equivalent of "The World is Comming to an End!"
I consider that anyone who makes such outlandish claims should be remembered, indexed, marked, and noted. When their claims fails to come true, then we can all stand around and laugh at them and grant them Idiot Awards.
Re:Horeshit.....javascript is crap but....horeshit (Score:2, Interesting)
Re:notabug (Score:3, Interesting)
If touching prototypes of built-in objects would persist across sites there simply could not have been more than one JS framework system. And nobody would have had scripting enabled...
Re:Horeshit.....javascript is crap but....horeshit (Score:3, Interesting)
Re:FUD (Score:5, Interesting)
Re:FUD (Score:3, Interesting)
Poor design security will always be a flaw (Score:3, Interesting)
At the end of the day, I verify the data I accept from the application before storing it. I don't trust anything coming from the client side. Just because it's ajax and I "think" I'm in control of the application doesn't mean that I am.
Big deal.
You still can send me options as selected if the options aren't in the list I offered you -- because I check. You can't send me invalid data because I check it for validity. That's my responsibility.
You can get me to send you something you don't have access to, because the agents that retrieve the data are running under your authority -- not as a system admin. If you don't have access to them, the data won't exist for you.
Again -- security happens at the back end. The front end is always to be considered hostile.
re: first post (Score:4, Interesting)
Further, the slashdot summary suggests that Prototyping is a design flaw in JavaScript/ECMAScript. This wrong for two reasons:
The article does outline a number of Ajax related vulnerabilities, but like most vulnerabilities, they can be mitigated or avoided entirely if paid attention to - much like the SQL injections of old.
Arguing that Prototyping or Ajax makes JavaScript unsafe is fud. These are powerful language features that (like any powerful feature) can be used for evil if an injection mechanism is available.