Agreed. This comes up every few months. In this case, it looks like they're talking about JSON data being readable from any host. I guess they mean if you're getting data via the remote script tag and callback technique, other sites could do the same thing and access your data? Seems like a pretty poor way for a legitimate site to work.
IMHO, the fact that forms can be submitted via javascript (no ajax involved) is a much bigger issue, but if you design correctly, it isn't a problem. Regardless, this thread will likely get huge :) --Erik On 4/2/07, Karl Rudd <[EMAIL PROTECTED]> wrote:
Bah, it's not a new vulnerability, it's always been there and always been known about. I call FUD on this. The following is an excerpt that is the keystone of the whole thing: "In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker." Firstly _don't visit suspect sites_. Secondly their "example attack" is flawed. As far as I'm aware JavaScript code on one page does not have access to the cookies of other webpages. If it does it's a security flaw in the browser, nothing a JavaScript library can do about it. Karl Rudd On 4/3/07, Kush Murod <[EMAIL PROTECTED]> wrote: > > Hi guys, > > Article below says all big JS Libraries are vulnerable including JQuery > I didn't quite understand the article, but was hoping for some feedback > on it > > http://www.cbronline.com/article_news.asp?guid=484BC88B-630F-4E74-94E9-8D89DD0E6606 > > > Cheers, > > -- > Kush Murod, Web applications developer > Sensory Networks > [E] [EMAIL PROTECTED] > [W] www.sensorynetworks.com > [T] +61 2 8302 2745 > [F] +61 2 9475 0316 > [A] Level 6, 140 William Street East Sydney 2011 > >
