[OpenAjaxSecurity] [OpenAjaxMarketing] Wiki page created for white paper on "Ajax andMashup Security"

Frederik De Keukelaere EB41704 at jp.ibm.com
Thu Aug 2 18:27:00 PDT 2007


Jon, David,

Just a small comment below.

- Fred

---
Frederik De Keukelaere, Ph.D.
Post-Doc Researcher
IBM Research, Tokyo Research Laboratory




Jon Ferraiolo <jferrai at us.ibm.com> 
Sent by: security-bounces at openajax.org
2007/08/03 06:51
Please respond to
OpenAjax Alliance Security Task Force <security at openajax.org>


To
"Frankel, David" <david.frankel at sap.com>
cc
marketing at openajax.org, security at openajax.org
Subject
Re: [OpenAjaxSecurity] [OpenAjaxMarketing] Wiki page created for white 
paper on        "Ajax   andMashup Security"






Hi David,
I went through your issues on the discussion tab. Thanks for highlighting 
these questions. Here are my responses.

David: You seem to be saying that IE's HttpOnly cookies don't improve the 
situation because there are other browsers besides IE. However, I think it 
is going too far to say that this doesn't improve the situation at all. 
Wouldn't it be better to say that it helps somewhat but doesn't fully 
solve the problem? 
Response: Good point. I changed the wording to say: "Note that Microsoft® 
Internet Explorer® 6 or later supports HttpOnly cookies, which prevent the 
client-side script from accessing document cookies. HttpOnly cookies does 
help to address one common vulnerability area for IE users, but so far the 
feature is not supported by other browsers. "
FDK: Very recenlty Firefox 2.0.0.5 added support for httponly cookies. See 
http://www.petefreitag.com/item/644.cfm. I would suggest to include that 
since Firefox 2.0.0.5 httponly is also supported by Firefox. However, 
httponly is vulnerable to the following attack 
http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and-is-vulnerable-to-xmlhttprequest/. 
>From what I tested both IE (I tested on 7) and FF (2.0.0.6) are vulnerable 
to this. It would be good to have a second confirmation of this. Anyone 
interested in testing this?

David: The definition of Blacklisting stops in mid-sentence. 

Response: Yes, there was a dangling sentence. I fixed it. Now reads: 
"Blacklisting: In this approach, all characters in the blacklist are 
filtered out from the input. The biggest challenge with blacklisting is to 
ensure that all dangerous characters are listed since it isn't possible to 
foresee all possible combinations of characters. "

David: I made some edits to the section about escaping special characters 
for readability. Double check it to make sure that I didn't inadvertently 
introduce errors in the escape sequences. 

Response: I reviewed your edits. I don't see any errors.

Thanks again!
Jon

Jon Ferraiolo <jferrai at us.ibm.com>
Web Architect, Emerging Technologies
IBM, Menlo Park, CA
Mobile: +1-650-926-5865

Jon Ferraiolo/Menlo Park/IBM at IBMUS


Jon Ferraiolo/Menlo Park/IBM at IBMUS 
Sent by: marketing-bounces at openajax.org 
08/01/2007 03:59 PM



To

"Frankel, David" <david.frankel at sap.com>

cc

marketing at openajax.org, security at openajax.org

Subject

Re: [OpenAjaxMarketing] Wiki page created for white paper on "Ajax 
andMashup Security"





Hi David,
Great job with detailed review and editorial cleanup! Thanks very much. I 
went through all of your edits and they all look good. I still have to 
study the comments on the discussion tab.

Jon

"Frankel, David" <david.frankel at sap.com>

"Frankel, David" <david.frankel at sap.com> 
Sent by: marketing-bounces at openajax.org 
08/01/2007 03:07 PM



To

<security at openajax.org>, <marketing at openajax.org>

cc


Subject

Re: [OpenAjaxMarketing] Wiki page created for white paper on "Ajax 
andMashup Security"





As I promised during the marketing telecon, I have taken an edit pass 
through the draft whitepaper. I edited for grammar and readability only, 
not for technical content. There are a few outstanding issues that I 
explain in the discussion page.

--Dave 
David S. Frankel 
Lead Standards Architect - Model Driven Systems 
NetWeaver Industry Standards 
SAP Labs LLC 
3410 Hillview Ave, Building E
Palo Alto, CA 94304 
Phone & Cell +1 530 893-1100 
mailto:David.Frankel at sap.com 
http://www.sdn.com 
From: marketing-bounces at openajax.org [
mailto:marketing-bounces at openajax.org] On Behalf Of Jon Ferraiolo
Sent: Thursday, Jul 19, 2007 11:38 AM
To: security at openajax.org; marketing at openajax.org
Subject: [OpenAjaxMarketing] Wiki page created for white paper on "Ajax 
andMashup Security" 
I have completed the first steps towards a white paper on "Ajax and Mashup 
Security". As has been discussed in the Marketing and Security committees, 
the proposed plan is to develop this white paper as a joint effort between 
the Marketing WG and the Security TF. 

Here is the white paper as it stands today:
* http://www.openajax.org/member/wiki/WP3_-_Ajax_and_Mashup_Security

Here is what I am thinking about the process for finishing this white 
paper:

Early phase:
* Security TF does most of the work.
* Marketing WG monitors and offers high-level feedback

Late phase:
* Marketing WG performs detailed editorial review
* Marketing WG authorizes publishing to the OpenAjax web site as an 
official white paper and for use within magazine articles
* Security TF participates in these discussions and complains if it sees 
something it doesn't like (which is unlikely)

This white paper might proceed quickly, and there are advantages with 
speed. The reason why the white paper might proceed quickly is that some 
IBM researchers have already written a very nice article and we have 
permission from the authors and IBM to create a derivative work so long as 
we include the notice "First published by IBM developerWorks at 
http://www.ibm.com/developerWorks/." The advantage of moving quickly is 
that we have an opportunity to publish the article in the September 
edition of AJAXWorld magazine, which will be distributed to all attendees 
of the AJAXWorld conference. Getting this article into the magazine would 
be a benefit to the community and would be a big plus towards promoting 
OpenAjax.

My opinion is that with a small amount of effort in the next few weeks, we 
can complete this white paper in time for AJAXWorld magazine. The deadline 
is a bit slippery, where they would like the articles submitted by July 31 
but have given good indication that mid August probably is soon enough. I 
believe the original article is nearly suitable in its original form, with 
only minor changes needed to adapt for appropriateness for OpenAjax 
Alliance. I inserted my list of recommended changes (highlight in red) 
onto the wiki page for the article. (
http://www.openajax.org/member/wiki/WP3_-_Ajax_and_Mashup_Security)

If anyone sees any problems with this approach, please speak up via email 
or speak up during one of the next telecons (i.e., Marketing telecon or 
Security telecon).

Thanks.
Jon

PS: Regarding AJAXWorld magazine, I also promised two other articles, an 
update on where things stand with OpenAjax Alliance (probably steal 
content from my latest slide decks and from 
http://www.openajax.org/about.html), and another article on the OpenAjax 
Hub (probably repurpose content from 
http://www.openajax.org/OpenAjax%20Hub.html, which we developed within the 
marketing committee recently). There is also a small chance of an 
AJAXWorld article on Mobile Ajax.
_______________________________________________
marketing mailing list
marketing at openajax.org
http://openajax.org/mailman/listinfo/marketing
_______________________________________________
marketing mailing list
marketing at openajax.org
http://openajax.org/mailman/listinfo/marketing
_______________________________________________
security mailing list
security at openajax.org
http://openajax.org/mailman/listinfo/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0020.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0021.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0022.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0023.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0024.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0025.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0026.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0027.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0028.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0029.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0030.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0031.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0032.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0033.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0034.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0035.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0036.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0037.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0038.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070803/0ec12ace/attachment-0039.gif 


More information about the security mailing list