YISTA

Ajaxy Web 2.0 apps vulnerable to attacks

April 4th, 2007 by Marston

According to Fortify Software, 11 out of 12 of the most popular Ajax/JS frameworks are vulnerable to javascript hijacking. So apparently every shiney web 2.0 app out there is ripe for the picking!

“Fortify said that the “pervasive and critical vulnerability” is present in 11 of the 12 most popular AJAX frameworks, and therefore in many Web 2.0 applications. It allows an attacker to pose as the application’s user and intercept data sent via JavaScript commands, by using the script tag to circumvent the ’same origin policy’ imposed by web browsers.”

“JavaScript Hijacking appears to be a ubiquitous problem,” said Fortify. It claimed that only Direct Web Remoting (DWR) 2.0, a project which dynamically generates Java classes on the server from JavaScript, is immune to the attack, but said that fixes are available or feasible for other AJAX frameworks.

I’ve never heard of Direct Web Remoting before, but hey, maybe there is something to be learned here. The article doesn’t talk specifically about Prototype or Scriptaculous but I’m sure they among the bunch.

Here is the Yahoo! story: Web 2.0 apps vulnerable to attack

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
Filed under: Security, Web 2.0

One Response to “Ajaxy Web 2.0 apps vulnerable to attacks”

  1. George Burnett
    April 8th, 2007 - 7:35 pm

    I have been waiting for something like this to come along and show it’s BIG ugly head!

    This is going to open a world of new XSS hacks.

Leave a Reply

Yah, I saw that already too, but just in case you may missed something YISTA is here to keep you up-to-date on the latest hardware, technologies, hacks and caffeinated properties :) Subscribe to our newsletter. Send tips and requests.
Grab our RSS feed  .

Additional Possibly Related Posts:

  • Reddit.com XSS Exploit
  • Mac OS X Hack Challenge Suspended
  • Adobe Apollo, Dekoh and Joyent Slingshot launch

YISTA Sections Show Sections | Hide Sections

  • *nix
  • Apple
  • Arts
  • Audio
  • Caffeine
  • Coding
  • Conferences
  • Design
  • File Sharing
  • Gadgets
  • Gaming
  • Google
  • Guides
  • Hacks
  • Hardware
  • iPod
  • Laptops
  • Microsoft
  • Mobiles
  • Mods
  • Movies
  • Networking
  • News
  • Open Source
  • Parody
  • Rumors
  • Search
  • Security
  • Social Networking
  • Software
  • TV
  • Uncategorized
  • Videos
  • Viruses
  • VoIP
  • Web 2.0
  • Wireless

YISTA Sections OLPC Windows Blue Screen Edition Tweet on Twitter Clients Guitar Hero 3 Now On The BlackBerry Columbus Laboratory Installed To The ISS 16GB iPhone and 32GB iPod Touch Released Guide To Performing A Complete MacBook Disassembly Apple Closes Intel OS X Kernel iAlertU :: MacBook Pro Alarm System Reddit.com XSS Exploit Coca-Cola Blak Yahoo! Announces Support for OpenID The Library Of Congress Goes Web 2.*

Hot Topics

Apple Arts AT&T Blackberry Caffeine code Coding comic compiz Conferences Dell Design DIY DRM Firefox Flickr Gaming Google Hacks iPhone iPod iTunes Linux Macbook Mac OS X Mobiles music Nintendo OLPC Open Source Parody robots Search Security Software The Pirate Bay torrents TV Ubuntu Videos VoIP Web 2.0 web app Wii

. Sign up for the YISTA daily email
You will receive our new posts delivered right into your inbox every afternoon. It's free and easy!

Recent Comments

Trinome? A Monome Clone
07/24/2008 12:52 am
1 Comment
All Aboard the Internet Omnibus
06/06/2008 12:44 pm
2 Comments
All Colors Together - Obama Poster
05/24/2008 05:24 pm
3 Comments
5 Million Piece Lego Ball
05/21/2008 06:39 pm
1 Comment

Recent Posts

Welcome to the World of Tomarrow!
08/22/2008
Eclipse Code Swarm
06/17/2008
BMW’s Flexible GINA
06/11/2008
Hive Mind Robot Swarms By 2025
06/08/2008
Deathstar Cantina Comedy
05/31/2008

About YISTA

YISTA is the No. 1 technologist's guide for geeks. w00t indeed!

Subscribe: Newsletter | RSS Feed RSS

Browse: The Archives

Contact: Tips & Requests | Advertise

Copyright © 2005-2008 YISTA. All rights reserved.  Proudly powered by WordPress.