Friday, January 05, 2007
Security on the Web

Security on the web has taken a new dimension with AJAX-driven websites.  AJAX-driven websites are more susceptible to cross-site scripting (XSS) attacks and offer easier means of call and logic discovery.

I had covered these in sessions titled "Building Secure Next Generation Web Applicaitons" during the recent Security Yatra and also during some MSDN Days organized in a few SIs in India. 

Some of the really startling attacks I discovered while preparing the content for the demo included the MySpace worm.  The complete details are available at http://namb.la/popular/

Not only did the worm bypass all of Myspace.com's rules, but surprised the author of the malicious code himself by affecting a million users in under 20 hours!

I just also received an email that talks about a very interesting vulnerability in PDF and Adobe Reader that makes it possible to perform serious XSS attacks.  That was quite startling because the avenues are increased not just to AJAX-sites but common technology such as Adobe PDF and OpenOffice.  The article is available at http://www.eweek.com/article2/0,1895,2079201,00.asp?kc=EWEWEMNL010107EP26A

The actual attack instructions are also available here.  But let me warn you not to try this with any site.  Don't mess around - it is a dangerous world out there.

And for all your developers there, if that didn't shake you and say "Take security seriously", I don't know what will.

posted on Friday, January 05, 2007 10:57:51 PM (India Standard Time, UTC+05:30)  #    Comments [0] Trackback
Related posts:
Microsoft!
Smart Client Development using Visual Studio 2008 and .NET 3.5
Project Shutter
The big Silverlight announcement!
What would you like to see?
Silverlight

Page rendered at Friday, December 05, 2008 1:23:09 AM (India Standard Time, UTC+05:30)