找回密码
 注册
搜索
热搜: java php web
查看: 2796|回复: 3

JavaScript Hijacking

[复制链接]
发表于 2009-1-27 17:39:01 | 显示全部楼层 |阅读模式
关于Javascript安全问题的书,或者可以说是调查,有兴趣地可以看看,对program safe ajax application很有用!

内容
An increasing number of rich Web applications, often called Ajax applications, make use of
JavaScript as a data transport mechanism. This paper describes a vulnerability we term JavaScript
Hijacking, which allows an unauthorized party to read confidential data contained in JavaScript
messages. The attack works by using a <script> tag to circumvent the Same Origin Policy
enforced by Web browsers. Traditional Web applications are not vulnerable because they do not
use JavaScript as a data transport mechanism.

We analyzed 12 popular Ajax frameworks, including 4 server-integrated toolkits – Direct Web
Remoting (DWR), Microsoft ASP.NET Ajax (a.k.a. Atlas), xajax and Google Web Toolkit
(GWT) -- and 8 purely client-side libraries -- Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery,
Yahoo! UI, Rico, and MochiKit. We determined that among them only DWR 2.0 implements
mechanisms for preventing JavaScript Hijacking. The rest of the frameworks do not explicitly

provide any protection and do not mention any security concerns in their documentation.
Many programmers are not using any of these frameworks, but based on our findings with the
frameworks, we believe that many custom-built applications are also vulnerable. An application
may be vulnerable if it:

? Uses JavaScript as a data transfer format
? Handles confidential data

We advocate a two-pronged mitigation approach that allows applications to decline malicious
requests and prevent attackers from directly executing JavaScript the applications generate.

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?注册

×
发表于 2009-1-27 19:14:04 | 显示全部楼层
这本书看上去不错啊!可是有点小,不知道里面的内容能不能讲的透
回复

使用道具 举报

发表于 2009-1-27 18:38:58 | 显示全部楼层
谢谢分享!!!!
回复

使用道具 举报

发表于 2009-1-27 18:41:06 | 显示全部楼层
thank youuu
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

Archiver|手机版|小黑屋|软晨网(RuanChen.com)

GMT+8, 2024-11-26 02:49

Powered by Discuz! X3.5

Copyright © 2001-2023 Tencent Cloud.

快速回复 返回顶部 返回列表