Comments on: How to write AJAX Worms â€“ theoretical point of view

By: Search Marketing Specialist

Search Marketing Specialist — Wed, 28 Feb 2007 13:59:56 +0000

It is so badly spread it and no one seems to care or to prevent it.

By: pdp

pdp — Mon, 15 Jan 2007 09:42:07 +0000

Aodhhan, well said.

By: Aodhhan

Aodhhan — Fri, 12 Jan 2007 21:30:15 +0000

Web 2.0 and its future is not about user generated content. In fact, it is the opposite. It is about automatically generated content in response to a manual or automatic request.

For instance: I book a flight, hotel and rental car from one site. Web 2.0 allows me to visit a web site which takes my information from my domain, and gets the information I need from many different sites, sorts it out in its services, then sends it to my domain so I can view it and make a decision.

Another example: Ebay. You don’t think they keep all their databases in one domain do you? Although, it may appear they do! Some of their databases are thousands of miles away from the main site and in a totally different domain. Google is the same.

What makes AJAX so dangerous, is it is perfect in the world of web services. It allows functionality too complicated for traditional HTML & GET/POST requests. Plus it is easier to write java and XMLHTTP, than to code a C++ client.
This makes it popular to make backend calls in many different web services architectures.
The huge danger with Web 2.0, is separate domains share information automatically. To do this, we must set up a trust between my domain and yours. A scary throught for any security specialist.
In the corporate world, there are special security filters to monitor this progress. You hope it works!

However, using this technology in other environments is dangerous, since normal firewalls, even application layer firewalls do not have the ability to see any danger in XML style requests.
Hackers understand this, and know many web sites which are set up, may not have this extra security, and bang… you are owned, and your firewall is useless.

But it affirms your statement; Flexibility vs Security, is still the major lip babbler in IT risk assessment.

By: pdp

pdp — Sun, 07 Jan 2007 15:44:38 +0000

This is a good point, however WEB 2.0 and the future of the WEB in general is all about user generated content. Long gone are the days of simple, disintegrated WEB application. Today we are talking about dynamic systems that are easily deployed. Systems that provide high degree of accessibility and flexibility. Complex systems! It is always a matter of choosing between security and accessibility.

By: Chris Korhonen

Chris Korhonen — Sun, 07 Jan 2007 15:07:27 +0000

Interesting article, and things like the MySpace worm’s are evidence that AJAX can prevent a serious security issue. But, looking at the examples, this vulnerability is limited to sites which publish user generated content.

Like all Web applications, developers need to be aware of one simple principle of application design – Never Trust the User. Systems should be designed so user generated content can never present any kind of security risk. Simple precautions like stripping out HTML and other illegal characters, or sanitizing them, is something which should be done as standard.

This should be the responsibility of the developer, though it probably wouldn;t hurt if authors of frameworks such as Ruby on Rails add this functionality as a default…

By: Myspace Layouts » Blog Archive » How to write AJAX Worms â€“ theoretical point of view

Sun, 07 Jan 2007 14:41:05 +0000

[...] Original post by pdp and software by Elliott Back [...]