securityfocus.com — This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins. The key learning objectives of this article are to understand the:
Oct 12, 2006 View in Crawl 4
chrisklappOct 12, 2006
Web 2.0 is simply a more interactive web experience, escaping from static pages. In such a way that allows a section(s) of pages to be updated independently from refreshing the page or browsing to a new page.
slasherxOct 12, 2006
I see your point, but packet sniffers will capture that data regardless of the interface (in terms of applications that is). I just don't see why this article raises this as a concern. In fact, if you plop up a copy of Ethereal and start sniffing in realtime, you can see this all happen before your eyes. You stop the capture and then you can go back to it and see the very nicely formed request in the form of either a query string when using get or a nicely formed x-www-form-urlencoded string. This is the case with web or other applications. I can set myself up an Ethereal session on a certain app like the lyrics plugin for winamp, trace the url's and data exchanged and referer and whatever else and create a nice little script using curl to do the same thing. My point is that it's not exclusive to web 2.0 or whatever they want to call it now in terms of HTTP requests regardless of the interface or application used.
Closed AccountOct 12, 2006
Although the article didn't really.. do much.. It reminded me of something I thought of a while ago : How many SQL injections, XSS vulns and such AJAX has introduced. Much like when a lot of people started with PHP, and didn't really understand the problems not escaping characters could have (for example).Although such screw ups are generally harder to find than PHP (having to sort though javascript code to find the PHP/ASP/etc scripts they are calling), it just seems like with a year there will be a lot more XSS vulnerabilities found when "Web 2.0 applications" are distributed like phpBB are (Very wide spread)- Ben
vbsurferOct 12, 2006
FYI:Web 3.0 = AS 3.0(flash). Dynamic flash sites are growing in popularity each day. With windows WPF as well, you'll see less and less of the standard usage of HTML and CSS or even hybrid. People like the rich internet experience, check out (<a class="user" href="http://www.ea.co.nz/en-nz/)">http://www.ea.co.nz/en-nz/)</a> . That site is full flash. This is the future of the web.
silverrocketOct 13, 2006
Just because nobody has mentioned it yet, if you stick with the golden rule of always re-validating user input on the server side, you can avoid a lot of problems. The article is alright, but the example of hacking a login/password is ridiculous - who is using javascript to validate logins and passwords?! Using sessions in the scripts pulling the data on the server and sending the XML back to the browser will also help, especially in the case of serving up "authorized-only" AJAXified content.
abicOct 13, 2006
Anyone doing any kind of serious web 2.0 development is already using these tools and more. Bad design is bad design, asynchronous or not. If you are sending actual SQL statements to the server from the client, the design would be just as vulnerable no matter the technology. If you aren't validating and escaping everything on the server, you are vulnerable. Ajax or not.
nxtwrldOct 13, 2006
@ihaterobots -your welcome. You will find the solution to your firebug resource eating ....oh sorry , no spamming.