[OpenAjaxSecurity] Google has posted an article on Ajax security

Jon Ferraiolo jferrai at us.ibm.com
Wed Apr 4 12:53:10 PDT 2007


Bertrand,
Thanks for referencing the MS posting.

I read through the JavaScript hijacking article and I think it throws a
spotlight on just a couple of issues among many. For the issues pointed out
in the article, there are techniques to address the potential problem, and
ASP.NET uses some of those techniques.

The question for the security task force is what role OpenAjax should play.
Here are some options:

(1) We could play an educational role. There are known techniques for many
of the most well-known Ajax vulnerability issues. OpenAjax Alliance could
create white papers or web pages that describe these vulnerabilities and
techniques for addressing them (or link to other sources which provide the
details).

(2) We could define a set of Ajax security best practices as part of our
OpenAjax Conformance trust brand. In order for products to claim OpenAjax
Conformance, they would have to support our security-related best
practices.

(3) We could play a role in improving the security infrastructure of the
Web. Maybe there are improvements to the browser or server technologies
which would help with security issues. (One example might be federated
authentication.)

I don't have an opinion yet, but my instincts are that there is something
we can do around (1) and (2) at least.

Jon



                                                                           
             Bertrand Le Roy                                               
             <Bertrand.Le.Roy@                                             
             microsoft.com>                                             To 
             Sent by:                  OpenAjax Alliance Security Task     
             security-bounces@         Force <security at openajax.org>       
             openajax.org                                               cc 
                                                                           
                                                                   Subject 
             04/04/2007 11:48          Re: [OpenAjaxSecurity] Google has   
             AM                        posted an article on Ajax security  
                                                                           
                                                                           
             Please respond to                                             
             OpenAjax Alliance                                             
               Security Task                                               
                   Force                                                   
             <security at openaja                                             
                  x.org>                                                   
                                                                           
                                                                           




FYI, here’s the Microsoft answer on the JSON hijacking vulnerability that
made the news yesterday:
http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx


From: security-bounces at openajax.org [mailto:security-bounces at openajax.org]
On Behalf Of Jon Ferraiolo
Sent: Monday, April 02, 2007 4:07 PM
To: security at openajax.org
Subject: [OpenAjaxSecurity] Google has posted an article on Ajax security



Google has posted an article on Ajax security:

http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications
_______________________________________________
security mailing list
security at openajax.org
http://openajax.org/mailman/listinfo/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic15030.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070404/858c1ebe/attachment-0002.gif 


More information about the security mailing list