RETURN $ecure;

Security, Technology and Life

Posts Tagged ‘WASPS

WASPS (Jan. 2007)

with 2 comments

Jeremiah just posted the results of the Web Application Security Professionals Survey (I’m hereby shortening it to WASPS.)for Jan. 2007.

Rather interesting results coming in this time. First off, RSnake’s blog is apparently the most popular place for the web app sec guys that responded. Next off, there was an interesting question about AJAX.

  Does using Ajax technology open up new website attacks?

a) Yes (9%)
b) Yes, it adds some new things (35%)
c) No, but it increases the attacks surface (40%)
d) Nothing new here, move along (5%)
e) Other (9%)
No Answer (2%)

Now, that in itself isn’t too interesting, but there was a comment from one of the respondents that Jeremiah posted.

 “It can increase the attack surface, but more importantly, Ajax technologies are being used to create better exploits. Focusing on whether using Ajax technologies creates new vulnerabilities is causing many people to look the wrong way when crossing the road.”

I totally agree with this one. I haven’t used Ajax for developing web applications at all. I find most of it can be done on the server side. On the other hand, I can use the XHR object to easily and quietly execute some actions on behalf of the afflicted user, such as propagating an XSS worm.

Another quick interesting note, only 2% of respondents said they thought browser security was rock-solid. Everyone but those 2% I agree with. I really think something we need to work on is some sort of client-side protection. It’s much more difficult to teach every single developer secure coding practices than to develop an anti-XSS Firefox Extension. We really need to get the browser community working on this.

Written by Rodney G

01/18/2007 at 6:42 pm

Posted in Uncategorized

Tagged with ,