[WEB SECURITY] "AJAX breathes new life into Web apps"

Chris.Hammond-Thrasher at consulting.fujitsu.com Chris.Hammond-Thrasher at consulting.fujitsu.com
Tue May 24 16:02:21 EDT 2005


This is the key question. Whatever you want to say about the limitations 
of Java applets, at least the Sun (and IBM) JVM went to some lengths to 
limit applets to executing within a fairly well defined sandbox. This 
sandbox model combined with cryptographic code signing made Java applets a 
fairly secure to run (even if there are other issues).

Has anyone thought of creating a mechanism to sign Javascript code with 
code signing certificates then have the signature verified automatically 
by the browser or a browser plug-in? (I have, I'm just too lazy to do 
anything about it.)


Chris Hammond-Thrasher  MLIS, CISSP
Principal Management Consultant
Library Technology / Security, Privacy and Technical Risk
email: chris.hammond-thrasher at consulting.fujitsu.com
Web: http://www.fujitsu.com/ca/

"Nathan Tobik" <nathan.tobik at vigilantminds.com>
05/24/2005 01:32 PM

        To:     <websecurity at webappsec.org>
        cc:     (bcc: Chris Hammond-Thrasher/EDM/DMR/CA)
        Subject:        RE: [WEB SECURITY] "AJAX breathes new life into Web apps"

I've read a bit about AJAX and it's a pretty cool technology.  What I'm
wondering is what are the security implications of using this within web

Specifically I am thinking that since the pages use JavaScript what
could happen if a user were to use something like GreaseMonkey
(http://greasemonkey.mozdev.org/) in Firefox or something similar.  Does
Ajax open a server up to client side attacks with Javascript? 

OTOH is anyone using AJAX to enhance the security of their web apps?

Nate Tobik
(412)661-5700 x206

Subject: [WEB SECURITY] "AJAX breathes new life into Web apps"

An intro to AJAX article got posted to slashdot today


AJAX is the newly minted acronym encompassing a fresh vision of
empowered browsers: Asynchronous JavaScript and XML. Before AJAX, Web
pages displayed links, forms, and buttons. When a user clicked on a link
or a button, the browser sent a message to a distant server asking what
to display next. JavaScript would typically be used for nothing more
than to check form inputs. Web pages were as static as pages in a book.
" - Infoworld


The Web Security Mailing List

The Web Security Mailing List Archives

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050524/a2552fef/attachment.html>

More information about the websecurity mailing list