[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Yet another Disturbing type of Exploit

I guess I would just add that java script injection is not a new
attack vector.  The only think that makes this specific exploit
different is that it is an attack aimed at the browser instead of at
the application.  Note that we have to be very careful about allowing
any sort of javascript injection anyway because this sort of attack
vector could also be turned against web applications (where you can do
this, XSS is always a possility too).

In general, we aim to block vectors, not specific exploits.

However, I do know that some sort of fallback is likely just because
it is nice to have if we need to support a device with spotty
Javascript support (like a handheld device running Pocket IE).

Best Wishes,
Chris Travers

On 4/19/07, Jason Rodrigues <..hidden..> wrote:
On  Thursday 19 April 2007 13:05, Chris Travers wrote:
> > Obviously LSMB would not be susceptible to buffer overflows, but every
> > day I see more and more seriously negative stuff about javascript.
> > My understanding is that LSMB development is going to add a lot of
> > javascript based web 2.0/ajax type stuff, which IS wonderful to use.
> > Are there plans for the new interfaces to "degrade gracefully" without
> > loss of function (some loss of convenience couldn't be avoided), if a
> > person found that javascript HAD to be turned off and kept off because
> > of non-LSMB security issues?

Several of the core developers (with good reason) have access to, and insist
on a gracefully degraded interface for lower-end hardware, such as hand held
scanners, and low-memory/low-resolution workstations.  This is something we
will maintain throughout the development process.

I am not a security researchers, but I suspect a good many of those attacks on
AJAX interfaces are because the interface on the server side of things are
far too trusting.

I think the REST API we're planning will go a long way to mitigate these types
of attacks, because input is validated, translated, and even then only
permitted to mutate server data in specific ways.  (But also note, we don't
claim invincibility... yet  :))  I also think the REST interface will also
help enforce a degradeable interface since it will only allow access to
arbitrary objects, and discourage arbitrary actions. (Besides GET, PUT, POST,


This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
Ledger-smb-devel mailing list