JavaScript plus AJAX equals trouble

Longtime readers will recognize my standard security mantra: convenience equals insecurity. Call me a security Luddite in that I believe it's sometimes better do things the long way around because shortcuts in computer software or Internet services most often leave you vulnerable. That sentiment seems to be shared by Billy Hoffman. He's a researcher at SPI Dynamics who, while criticizing businesses that race to deliver AJAX-enabled Web sites without regard to security, focused his two Black Hat Web 2.0 presentations on the potential troubles lurking within AJAX--in particular, how some hot new Web sites are ineptly filtering user input and thus newly opening the end user and the enterprise itself to old-style attacks.

In this week's column, I'll talk specifically about AJAX and cross-site scripting attacks using JavaScript executed on your desktop browser; next week, I'll discuss how AJAX can also open an enterprise to attack. Security Watch: JavaScript plus AJAX equals trouble - CNET reviews

Linked by shanmuga Saturday, 19th August 2006 7:33AM