|
|
关于Javascript安全问题的书,或者可以说是调查,有兴趣地可以看看,对program safe ajax application很有用!
内容
An increasing number of rich Web applications, often called Ajax applications, make use of
JavaScript as a data transport mechanism. This paper describes a vulnerability we term JavaScript
Hijacking, which allows an unauthorized party to read confidential data contained in JavaScript
messages. The attack works by using a <script> tag to circumvent the Same Origin Policy
enforced by Web browsers. Traditional Web applications are not vulnerable because they do not
use JavaScript as a data transport mechanism.
We analyzed 12 popular Ajax frameworks, including 4 server-integrated toolkits – Direct Web
Remoting (DWR), Microsoft ASP.NET Ajax (a.k.a. Atlas), xajax and Google Web Toolkit
(GWT) -- and 8 purely client-side libraries -- Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery,
Yahoo! UI, Rico, and MochiKit. We determined that among them only DWR 2.0 implements
mechanisms for preventing JavaScript Hijacking. The rest of the frameworks do not explicitly
provide any protection and do not mention any security concerns in their documentation.
Many programmers are not using any of these frameworks, but based on our findings with the
frameworks, we believe that many custom-built applications are also vulnerable. An application
may be vulnerable if it:
? Uses JavaScript as a data transfer format
? Handles confidential data
We advocate a two-pronged mitigation approach that allows applications to decline malicious
requests and prevent attackers from directly executing JavaScript the applications generate. |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?注册
×
|
IP卡
狗仔卡
发表于 2009-1-27 17:39:01
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡