Archive for January 2007
Rather interesting results coming in this time. First off, RSnake’s blog is apparently the most popular place for the web app sec guys that responded. Next off, there was an interesting question about AJAX.
Does using Ajax technology open up new website attacks?
a) Yes (9%)
b) Yes, it adds some new things (35%)
c) No, but it increases the attacks surface (40%)
d) Nothing new here, move along (5%)
e) Other (9%)
No Answer (2%)
Now, that in itself isn’t too interesting, but there was a comment from one of the respondents that Jeremiah posted.
“It can increase the attack surface, but more importantly, Ajax technologies are being used to create better exploits. Focusing on whether using Ajax technologies creates new vulnerabilities is causing many people to look the wrong way when crossing the road.”
I totally agree with this one. I haven’t used Ajax for developing web applications at all. I find most of it can be done on the server side. On the other hand, I can use the XHR object to easily and quietly execute some actions on behalf of the afflicted user, such as propagating an XSS worm.
Another quick interesting note, only 2% of respondents said they thought browser security was rock-solid. Everyone but those 2% I agree with. I really think something we need to work on is some sort of client-side protection. It’s much more difficult to teach every single developer secure coding practices than to develop an anti-XSS Firefox Extension. We really need to get the browser community working on this.
These ‘Snap’shots are presumably identical to the ones the search engine itself uses.
(It allows for previewing of search results for ease of use)
Now, this is all fairly harmless and seemingly pointless, except that it seems they not only use a Gecko-based browser,(probably Firefox) to spider(or at the least, take their snapshots) sites.
Take a look at this screenshot of a MySpace page with an older persistant XSS on it.
As you can see, there is an Alert() in the Snap Preview.
I knew Google indexes XSS, but actually running the JS seems like bad practice…