RETURN $ecure;

Security, Technology and Life

WASPS (Jan. 2007)

with 2 comments

Jeremiah just posted the results of the Web Application Security Professionals Survey (I’m hereby shortening it to WASPS.)for Jan. 2007.

Rather interesting results coming in this time. First off, RSnake’s blog is apparently the most popular place for the web app sec guys that responded. Next off, there was an interesting question about AJAX.

  Does using Ajax technology open up new website attacks?

a) Yes (9%)
b) Yes, it adds some new things (35%)
c) No, but it increases the attacks surface (40%)
d) Nothing new here, move along (5%)
e) Other (9%)
No Answer (2%)

Now, that in itself isn’t too interesting, but there was a comment from one of the respondents that Jeremiah posted.

 “It can increase the attack surface, but more importantly, Ajax technologies are being used to create better exploits. Focusing on whether using Ajax technologies creates new vulnerabilities is causing many people to look the wrong way when crossing the road.”

I totally agree with this one. I haven’t used Ajax for developing web applications at all. I find most of it can be done on the server side. On the other hand, I can use the XHR object to easily and quietly execute some actions on behalf of the afflicted user, such as propagating an XSS worm.

Another quick interesting note, only 2% of respondents said they thought browser security was rock-solid. Everyone but those 2% I agree with. I really think something we need to work on is some sort of client-side protection. It’s much more difficult to teach every single developer secure coding practices than to develop an anti-XSS Firefox Extension. We really need to get the browser community working on this.

Written by Rodney G

01/18/2007 at 6:42 pm

Posted in Uncategorized

Tagged with ,

2 Responses

Subscribe to comments with RSS.

  1. hi,

    i totally agree with you on the browser thing,
    however, the nasty thing about xss is, that if you were to disable it,
    a normal user wont be able to use javascript on his page!

    it would require advanced techniques to check what the script does (almost impossible), and, it must be sure the developer didt intend that behaviour!

    so the only way to do this, is by letting the developer tell whether or not it is safe javascript.. but again, it would require developers to code cleanly.. arr!

    interesting point tho!



    02/5/2007 at 12:09 pm

  2. Glad you liked that quote about Ajax – that was my response. 🙂

    I’d like to include your blog in my planet ( – there’s some good content here. Would you mind disclosing your full name, or are you hoping to remain quasi-anonymous?

    Chris Shiflett

    04/26/2007 at 11:27 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: