[OpenAjaxSecurity] [OpenAjaxMarketing] Wiki page created for white paper on "Ajax andMashup Security"

Jon Ferraiolo jferrai at us.ibm.com
Sun Aug 5 21:19:33 PDT 2007


Sachiko,
Looks good to me! Thanks.

Jon



                                                                           
             Sachiko Yoshihama                                             
             <SACHIKOY at jp.ibm.                                             
             com>                                                       To 
                                       Jon Ferraiolo/Menlo Park/IBM at IBMUS  
             08/05/2007 06:53                                           cc 
             PM                        marketing at openajax.org, OpenAjax    
                                       Alliance Security Task Force        
                                       <security at openajax.org>             
                                                                   Subject 
                                       Re: [OpenAjaxMarketing]             
                                       [OpenAjaxSecurity] Wiki page        
                                       created for     white paper on      
                                       "Ajax     andMashup Security"       
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





Jon,

I've updated the whitepaper and the resources page. Please check.

Sachiko
--
YOSHIHAMA, Sachiko (FAMILY, Given)
IBM Tokyo Research Laboratory
Tel: 046-215-4828 / TieLine: 808-4828
E-mail: sachikoy at jp.ibm.com

                                                                           
 Jon Ferraiolo                                                             
 <jferrai at us.ibm.c                                                         
 om>                                                                       
                                                                        To 
                           Sachiko Yoshihama/Japan/IBM at IBMJP               
 2007/08/03 23:18                                                       cc 
                           marketing at openajax.org, OpenAjax Alliance       
                           Security Task Force <security at openajax.org>     
                                                                   Subject 
                           Re: [OpenAjaxMarketing] [OpenAjaxSecurity] Wiki 
                           page created for        white paper on          
                           "Ajax        andMashup Security"                
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





Sachiko and Fred,
Do either of you want to update the white paper? If not, I can make an
attempt.

Jon

Jon Ferraiolo <jferrai at us.ibm.com>
Web Architect, Emerging Technologies
IBM, Menlo Park, CA
Mobile: +1-650-926-5865

Inactive hide details for Sachiko Yoshihama <SACHIKOY at jp.ibm.com>Sachiko
Yoshihama <SACHIKOY at jp.ibm.com>
                                                                           
 Sachiko Yoshihama                                                         
 <SACHIKOY at jp.ibm.co                                                       
 m>                                                                        
 Sent by:                                                                  
 marketing-bounces at o                                                       
 penajax.org                                                            To 
                                                                           
                            OpenAjax Alliance Security Task Force          
 08/02/2007 07:03 PM        <security at openajax.org>                        
                                                                           
                                                                           
                                                                        cc 
                                                                           
                            marketing at openajax.org, OpenAjax Alliance      
                            Security Task Force <security at openajax.org>,   
                            security-bounces at openajax.org                  
                                                                           
                                                                           
                                                                   Subject 
                                                                           
                            Re: [OpenAjaxMarketing] [OpenAjaxSecurity]     
                            Wiki page created for white paper on "Ajax     
                            andMashup Security"                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





Fred,

Thanks for pointing that out. I've tested the attack on Firefox 2.0.0.5 and
2.0.0.6 and agree with you to add a sentence on it.

Although we didn't clearly mention in the original article, Cross-Site
Tracing (XST) is another way of attacking the httpOnly cookie and maybe we
should add references to the following URLs too.

* http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
* Amit Klein, XST variants (January 2003)
http://www.modsecurity.org/archive/amit/xst_attack_variants.txt

Sachiko
--
YOSHIHAMA, Sachiko (FAMILY, Given)
IBM Tokyo Research Laboratory
Tel: 046-215-4828 / TieLine: 808-4828
E-mail: sachikoy at jp.ibm.com
                                                                           
 Frederik De                                                               
 Keukelaere/Japan/Contr/I                                                  
 BM at IBMJP                                                                  
 Sent by:                                                               To 
 security-bounces at openaja       OpenAjax Alliance Security Task Force      
 x.org                          <security at openajax.org>                    
                                                                        cc 
                                marketing at openajax.org, "Frankel, David"   
 2007/08/03 10:27               <david.frankel at sap.com>,                   
                                security at openajax.org,                     
                                security-bounces at openajax.org              
                                                                   Subject 
     Please respond to          Re: [OpenAjaxSecurity] [OpenAjaxMarketing] 
     OpenAjax Alliance          Wiki page created for white paper on "Ajax 
    Security Task Force         andMashup Security"                        
  <security at openajax.org>                                                  
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           






Jon, David,

Just a small comment below.

- Fred

---
Frederik De Keukelaere, Ph.D.
Post-Doc Researcher
IBM Research, Tokyo Research Laboratory
                                                                           
 Jon Ferraiolo                                                             
 <jferrai at us.ibm.com>                                                      
 Sent by:                                                                  
 security-bounces at openajax.                                             To 
 org                               "Frankel, David"                        
                                   <david.frankel at sap.com>                 
                                                                        cc 
 2007/08/03 06:51                  marketing at openajax.org,                 
                                   security at openajax.org                   
                                                                   Subject 
                                   Re: [OpenAjaxSecurity]                  
      Please respond to            [OpenAjaxMarketing] Wiki page created   
      OpenAjax Alliance            for white paper on "Ajax andMashup      
     Security Task Force           Security"                               
   <security at openajax.org>                                                 
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           






Hi David,
I went through your issues on the discussion tab. Thanks for highlighting
these questions. Here are my responses.

David: You seem to be saying that IE's HttpOnly cookies don't improve the
situation because there are other browsers besides IE. However, I think it
is going too far to say that this doesn't improve the situation at all.
Wouldn't it be better to say that it helps somewhat but doesn't fully solve
the problem?
Response: Good point. I changed the wording to say: "Note that Microsoft®
Internet Explorer® 6 or later supports HttpOnly cookies, which prevent the
client-side script from accessing document cookies. HttpOnly cookies does
help to address one common vulnerability area for IE users, but so far the
feature is not supported by other browsers. "


FDK: Very recenlty Firefox 2.0.0.5 added support for httponly cookies. See
http://www.petefreitag.com/item/644.cfm. I would suggest to include that
since Firefox 2.0.0.5 httponly is also supported by Firefox. However,
httponly is vulnerable to the following attack
http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and-is-vulnerable-to-xmlhttprequest/
. >From what I tested both IE (I tested on 7) and FF (2.0.0.6) are
vulnerable to this. It would be good to have a second confirmation of this.
Anyone interested in testing this?



David: The definition of Blacklisting stops in mid-sentence.

Response: Yes, there was a dangling sentence. I fixed it. Now reads:
"Blacklisting: In this approach, all characters in the blacklist are
filtered out from the input. The biggest challenge with blacklisting is to
ensure that all dangerous characters are listed since it isn't possible to
foresee all possible combinations of characters. "

David: I made some edits to the section about escaping special characters
for readability. Double check it to make sure that I didn't inadvertently
introduce errors in the escape sequences.

Response: I reviewed your edits. I don't see any errors.

Thanks again!
Jon

Jon Ferraiolo <jferrai at us.ibm.com>
Web Architect, Emerging Technologies
IBM, Menlo Park, CA
Mobile: +1-650-926-5865

Inactive hide details for Jon Ferraiolo/Menlo Park/IBM at IBMUSJon
Ferraiolo/Menlo Park/IBM at IBMUS
                                                                           
 Jon Ferraiolo/Menlo                                                       
 Park/IBM at IBMUS                                                            
 Sent by:                                                                  
 marketing-bounces at opena                                                   
 jax.org                                                                   
                                                                           
                                                                           
 08/01/2007 03:59 PM                                                    To 
                                                                           
                                  "Frankel, David" <david.frankel at sap.com> 
                                                                           
                                                                           
                                                                           
                                                                           
                                                                        cc 
                                                                           
                                  marketing at openajax.org,                  
                                  security at openajax.org                    
                                                                           
                                                                           
                                                                           
                                                                           
                                                                   Subject 
                                                                           
                                  Re: [OpenAjaxMarketing] Wiki page        
                                  created for white paper on "Ajax         
                                  andMashup Security"                      
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





Hi David,
Great job with detailed review and editorial cleanup! Thanks very much. I
went through all of your edits and they all look good. I still have to
study the comments on the discussion tab.

Jon

Inactive hide details for "Frankel, David" <david.frankel at sap.com>"Frankel,
David" <david.frankel at sap.com>
                                                                           
 "Frankel, David"                                                          
 <david.frankel at sap.com>                                                   
 Sent by:                                                                  
 marketing-bounces at openaj                                                  
 ax.org                                                                    
                                                                           
                                                                           
 08/01/2007 03:07 PM                                                    To 
                                                                           
                                  <security at openajax.org>,                 
                                  <marketing at openajax.org>                 
                                                                           
                                                                           
                                                                           
                                                                           
                                                                        cc 
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                   Subject 
                                                                           
                                  Re: [OpenAjaxMarketing] Wiki page        
                                  created for white paper on "Ajax         
                                  andMashup Security"                      
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





As I promised during the marketing telecon, I have taken an edit pass
through the draft whitepaper. I edited for grammar and readability only,
not for technical content. There are a few outstanding issues that I
explain in the discussion page.

--Dave


David S. Frankel
Lead Standards Architect - Model Driven Systems
NetWeaver Industry Standards
SAP Labs LLC
3410 Hillview Ave, Building E
Palo Alto, CA 94304
Phone & Cell +1 530 893-1100
mailto:David.Frankel at sap.com
http://www.sdn.com


From: marketing-bounces at openajax.org [mailto:marketing-bounces at openajax.org
] On Behalf Of Jon Ferraiolo
Sent: Thursday, Jul 19, 2007 11:38 AM
To: security at openajax.org; marketing at openajax.org
Subject: [OpenAjaxMarketing] Wiki page created for white paper on "Ajax
andMashup Security"


I have completed the first steps towards a white paper on "Ajax and Mashup
Security". As has been discussed in the Marketing and Security committees,
the proposed plan is to develop this white paper as a joint effort between
the Marketing WG and the Security TF.

Here is the white paper as it stands today:
* http://www.openajax.org/member/wiki/WP3_-_Ajax_and_Mashup_Security

Here is what I am thinking about the process for finishing this white
paper:

Early phase:
* Security TF does most of the work.
* Marketing WG monitors and offers high-level feedback

Late phase:
* Marketing WG performs detailed editorial review
* Marketing WG authorizes publishing to the OpenAjax web site as an
official white paper and for use within magazine articles
* Security TF participates in these discussions and complains if it sees
something it doesn't like (which is unlikely)

This white paper might proceed quickly, and there are advantages with
speed. The reason why the white paper might proceed quickly is that some
IBM researchers have already written a very nice article and we have
permission from the authors and IBM to create a derivative work so long as
we include the notice "First published by IBM developerWorks at
http://www.ibm.com/developerWorks/." The advantage of moving quickly is
that we have an opportunity to publish the article in the September edition
of AJAXWorld magazine, which will be distributed to all attendees of the
AJAXWorld conference. Getting this article into the magazine would be a
benefit to the community and would be a big plus towards promoting
OpenAjax.

My opinion is that with a small amount of effort in the next few weeks, we
can complete this white paper in time for AJAXWorld magazine. The deadline
is a bit slippery, where they would like the articles submitted by July 31
but have given good indication that mid August probably is soon enough. I
believe the original article is nearly suitable in its original form, with
only minor changes needed to adapt for appropriateness for OpenAjax
Alliance. I inserted my list of recommended changes (highlight in red) onto
the wiki page for the article. (
http://www.openajax.org/member/wiki/WP3_-_Ajax_and_Mashup_Security)

If anyone sees any problems with this approach, please speak up via email
or speak up during one of the next telecons (i.e., Marketing telecon or
Security telecon).

Thanks.
Jon

PS: Regarding AJAXWorld magazine, I also promised two other articles, an
update on where things stand with OpenAjax Alliance (probably steal content
from my latest slide decks and from http://www.openajax.org/about.html),
and another article on the OpenAjax Hub (probably repurpose content from
http://www.openajax.org/OpenAjax%20Hub.html, which we developed within the
marketing committee recently). There is also a small chance of an AJAXWorld
article on Mobile Ajax._______________________________________________
marketing mailing list
marketing at openajax.org
http://openajax.org/mailman/listinfo/marketing
_______________________________________________
marketing mailing list
marketing at openajax.org
http://openajax.org/mailman/listinfo/marketing
_______________________________________________
security mailing list
security at openajax.org
http://openajax.org/mailman/listinfo/security_______________________________________________

security mailing list
security at openajax.org
http://openajax.org/mailman/listinfo/security
_______________________________________________
marketing mailing list
marketing at openajax.org
http://openajax.org/mailman/listinfo/marketing

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070805/95e4fd00/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070805/95e4fd00/attachment-0006.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic04544.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070805/95e4fd00/attachment-0007.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070805/95e4fd00/attachment-0008.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 24124218.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070805/95e4fd00/attachment-0009.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 24777681.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070805/95e4fd00/attachment-0010.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 24300324.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070805/95e4fd00/attachment-0011.gif 


More information about the security mailing list