Web 2.0 Under Siege

Robert writes "Security researchers have found what they say is an entirely new kind of web-based attack, and it only targets the Ajax applications so beloved of the 'Web 2.0' movement. Fortify Software, which said it discovered the new class of vulnerability and has named it 'JavaScript hijacking', said that almost all the major Ajax toolkits have been found vulnerable. 'JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups'"

Vocabulary Fix

[Nerdfest]

Sadly, this is likely to do very little to stop the use of the word 'mashups'.

quick!

[mastershake_phd]

Upgrade to Web 3.0, quick!

Mashups?

[Rob T Firefly]

'JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups'

So back when I made the Beastie Boys rap over the Macarena tune, [spacemutiny.com] I was really hacking the Web 2.0? And here I thought I was just assaulting eardrums and good taste...

Does this mean...

[zappepcs]

that we can sue Morfik? /sarcasm

Easy Fix

[Anonymous Coward]

Just serve up an animated cursor before any XML handshakes. This will stop the attackers from exploiting the AJAX piece.

The Biggest WTF...

[Sam Legend]

The biggest WTF is that somebody is still using javascript. Oops. Wrong site...
(Captcha: backtotheweb1.0)

Re:Vocabulary Fix

[MikeFats]

You're right - who doesn't yearn for the good old Pine and Gopher days? I spit on you AJAX and Web 2.0.

Re:They discovered this?

[borkus]

I return pain text

I so want to return pain text to certain users.

if text_body == ALL_CAPS
        return PAIN_TEXT

Re:XSS

[Bogtha]

Here [fortifysoftware.com]. For future reference:

1. Throw the words "Fortify Software" at Google.
2. Click on the first link.
3. Click on the prominent link in the middle of their home page.

It's really not that hard to find details. All you really need is the ability to operate a web browser, a search engine, and about thirty seconds of your time.

Re:Executing 3rd party code by default is insecure

[nuzak]

> Like building a submarine out of swiss cheese.

I suspect a submarine built out of a nice solid gruyere would probably not be terribly seaworthy either. When it comes to the structural integrity of hull materials, cheese tends to rank pretty low.