ROTECTED]
> -Original Message-
> From: jquery-en@googlegroups.com
> [mailto:[EMAIL PROTECTED] On Behalf Of Chris Ovenden
> Sent: Wednesday, April 04, 2007 4:02 AM
> To: jQuery (English)
> Subject: [jQuery] Re: Web 2.0 is vulnerable to attack
>
>
> I just
On 04.04.2007, at 13:02, Chris Ovenden wrote:
I just read the paper and, correct me if I'm wrong, this vulnerability
*only* applies to JSON. XML is safe, because it has to be parsed
before the data can be extracted. I avoid JSON because I don't like to
have eval() statements in my code. This w
I just read the paper and, correct me if I'm wrong, this vulnerability
*only* applies to JSON. XML is safe, because it has to be parsed
before the data can be extracted. I avoid JSON because I don't like to
have eval() statements in my code. This would seem a more obvious
solution to the problem t
Nathan, All good information, much appreciated.
--
Benjamin Sterling
http://www.KenzoMedia.com
http://www.KenzoHosting.com
oung - Artizen at Cisco)
> Sent: Tuesday, April 03, 2007 3:30 PM
> To: jquery-en@googlegroups.com
> Subject: [jQuery] Re: Web 2.0 is vulnerable to attack
>
>
> Hi.
>
> I know you asked for code but what you're getting is more
> talk. Sorry.
>
> You can't
m
> [mailto:[EMAIL PROTECTED] On Behalf Of Benjamin Sterling
> Sent: Tuesday, April 03, 2007 12:10 PM
> To: jquery-en@googlegroups.com
> Subject: [jQuery] Re: Web 2.0 is vulnerable to attack
>
> >>How about posting some example code that shows an example
> of how secret
Keep in mind that this is more of a server-side thing. The only JS piece
involves adding a variable value to your URL when pulling the data through
a script tag or an iframe.
e.g.: http://mysite/myapplication?uniquevalue=foo
Then, your server application should return an error (perhaps 500?) i
How about posting some example code that shows an example of how secret
one time tokens can be created and used within jQuery.
I second that. It would go a long way in educating me on the proper way of
doing things.
--
Benjamin Sterling
http://www.KenzoMedia.com
http://www.KenzoHosting.com
_.:||:._.:||:._.:||:._.:||:._.:||:._.:||:.
Nathan Young
Cisco.com->Interface Development
A: ncy1717
E: [EMAIL PROTECTED]
-Original Message-
From: jquery-en@googlegroups.com
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Peter
Sent: Tuesday, April 03, 2007 3:56 AM
To: jquery-en@googlegroups.
:||:._.:||:._.:||:._.:||:._.:||:._.:||:._.:||:._.:||:.
Nathan Young
Cisco.com->Interface Development
A: ncy1717
E: [EMAIL PROTECTED]
> -Original Message-
> From: jquery-en@googlegroups.com
> [mailto:[EMAIL PROTECTED] On Behalf Of Markus Peter
> Sent: Tuesday, April 0
Yes, you're right, I was calling "FUD" on the article. I dashed that
email off rather too quickly in retrospect. The paper itself is quite
reasonable in it's treatment of things.
Karl Rudd
On 4/3/07, Markus Peter <[EMAIL PROTECTED]> wrote:
On 03.04.2007, at 08:07, Karl Rudd wrote:
>
> Bah, it
On 03.04.2007, at 08:07, Karl Rudd wrote:
Bah, it's not a new vulnerability, it's always been there and always
been known about.
I call FUD on this.
The following is an excerpt that is the keystone of the whole thing:
"In an example attack, a victim who has already authenticated
themselves
I don't doubt that someone put alot of time into this particular FUD piece,
but once again (just like all the other articles on this subject), no proof
is given. If it's so easy, have it read an arbitrary email from my GMail and
THEN I will take the arguments seriously.
In the mean time, I laugh
On 4/3/07, Pedro Luz <[EMAIL PROTECTED]> wrote:
javascript also as the SOP (same origin policy)
actually it doesn't, this is how google adsense for example works.
w
javascript also as the SOP (same origin policy)
On Apr 3, 7:23 am, "Erik Beeson" <[EMAIL PROTECTED]> wrote:
> Agreed. This comes up every few months. In this case, it looks like
> they're talking about JSON data being readable from any host. I guess
> they mean if you're getting data via the remo
Agreed. This comes up every few months. In this case, it looks like
they're talking about JSON data being readable from any host. I guess
they mean if you're getting data via the remote script tag and
callback technique, other sites could do the same thing and access
your data? Seems like a prett
Yes, sorry, that's what I was refering too about the "old problem".
Should have been a bit clearer.
It only works on "shared" sites.
Karl Rudd
On 4/3/07, Ⓙⓐⓚⓔ <[EMAIL PROTECTED]> wrote:
Or is it the old problem with domain wide cookies? I give a cookie for
x.com on jake.x.com and you read my c
Or is it the old problem with domain wide cookies? I give a cookie for
x.com on jake.x.com and you read my cookie on karl.x.com? You still
can't ajax to jake.x.com.
It sounds like disinformation to me!
On 4/2/07, Karl Rudd <[EMAIL PROTECTED]> wrote:
Bah, it's not a new vulnerability, it's alwa
Nice article...
AJAX, as Kevin Murphy said ... "Since Ajax is in its infancy, this is
fair less of a problem than, say, buffer overflows were when they
first came to light, Chess noted. There are not a lot of legacy Ajax
applications that will need to be fixed. So, Fortify wants to
publicize its
Bah, it's not a new vulnerability, it's always been there and always
been known about.
I call FUD on this.
The following is an excerpt that is the keystone of the whole thing:
"In an example attack, a victim who has already authenticated
themselves to an Ajax application, and has the login coo
20 matches
Mail list logo
