Sunday, April 15, 2007
Would you still love AJAX if you knew it was insecure?

From Bruce Schneier's latest Crypto-Gram:

JavaScript Hijacking

JavaScript hijacking is a new type of eavesdropping attack against Ajax-style Web applications.  I'm pretty sure it's the first type of attack that specifically targets Ajax code.  The attack is possible because Web browsers don't protect JavaScript the same way they protect HTML; if a Web application transfers confidential data using messages written in JavaScript, in some cases the messages can be read by an attacker.

The authors show that many popular Ajax programming frameworks do nothing to prevent JavaScript hijacking.  Some actually *require* a programmer to create a vulnerable server in order to function.

Like so many of these sorts of vulnerabilities, preventing the class of attacks is easy.  In many cases, it requires just a few additional lines of code.  And like so many software security problems, programmers need to understand the security implications of their work so they can mitigate the risks they face.  But my guess is that JavaScript hijacking won't be solved so easily, because programmers don't understand the security implications of their work and won't prevent the attacks.


Responses to many of the blog comments, by one of the paper's co-authors:

It would be an interesting comparison, to see a rich-client app using "traditional" calls back to a server (via RMI, .NET Remoting, or some kind of messaging system like JMS or MSMQ) weighed against an AJAX app, compared on security holes. My gut instinct tells me that the rich client app would be more secure, but only because using the binary RPC/messaging toolkit obfuscates the wire traffic enough to dissuade the 'casual' attacker, not because it's inherently more secure.

By the way, if you're not receiving Crypto-Gram via email or RSS, you are seriously at risk of writing insecure apps. Think it's all dry and boring security threat alerts? Hardly--check out the "Second Annual Move-Plot Threat Contest". Then tell me whether you think it's funny--or just sad--that there will not only be a real winner to this contest, but that the TSA will, in all likelihood, react the way Bruce predicts, particularly when the major news outlets report the story and it joins the list of fears the public already receives on a daily basis.

More people die every day from automobile accidents than from terrorism. Hell, I'd even bet that on September 11, 2001, more people died from automobile accidents that day than from the Twin Towers attack. (I don't have the statistics to verify that, but I imagine it's fairly easy to find out; right or wrong, kudos to whomever takes the ten or fifteen minutes to research it and send it to me for posting here.)

Ban the automobile! Protect your children from the evil terrorists at Ford, GM, Saturn, Toyota, DaimlerChryseler, and more! Send in the troops to arrest these fiendish perpetrators of unnecessary and senseless deaths to innocent American citizens! (And for God's sake, don't ask how many people die from peanut allergies each year, or we'll lose Skippy and Reese's Peanut Butter Cups too!)

.NET | C++ | Development Processes | Java/J2EE | Ruby | Windows | XML Services

Sunday, April 15, 2007 12:46:33 AM (Pacific Standard Time, UTC-08:00)
Comments [6]  | 
 Tuesday, April 10, 2007
Management Lessons for Developers

Others may say that developers can't be managers, but I fail to accept that; I just think developers need to get the basics about management in short, easy-to-remember doses. With that, I now offer the "Five-Minute Manager":

Lesson #1: Communication

A man is getting into the shower just as his wife is finishing up her shower, when the doorbell rings. The wife quickly wraps herself in a towel and runs downstairs. When she opens the door, there stands Bob, the next-door neighbor.

Before she says a word, Bob says, "I'll give you $800 to drop that towel."

After thinking for a moment, the woman drops her towel and stands naked in front of Bob. After a few seconds, Bob hands her $800 and leaves.

The woman wraps back up in the towel and goes back upstairs. When she gets to the bathroom, her husband asks, "Who was that?"

"It was Bob the next door neighbor," she replies.

"Great," the husband says, "did he say anything about the $800 he owes me?"

Moral: If you share critical information with your coworkers and employees in a timely fashion, you may be in a position to prevent avoidable exposure.


Lesson #2: Knowledge

A priest offered a Nun a lift. She got in and crossed her legs, forcing her gown to reveal a leg. The priest nearly had an accident. After controlling the car, he stealthily slid his hand up her leg.

The nun said, "Father, remember Psalm 129?"

The priest removed his hand. But, changing gears, he let his hand slide up her leg again.

The nun once again said, "Father, remember Psalm 129?"

The priest apologized "Sorry, sister, but the flesh is weak."

Arriving at the convent, the nun sighed heavily and went on her way.

On his arrival at the church, the priest rushed to look up Psalm 129. It said, "Go forth and seek, further up you will find glory."

Moral: If you are not well informed, you might miss a great opportunity.


Lesson #3: Politics

A sales rep, an administration clerk, and the manager are walking to lunch when they find an antique oil lamp. They rub it and a Genie comes out and says, "I'll give each of you just one wish."

"Me first! Me first!" says the admin clerk. "I want to be in the Bahamas, driving a speedboat, without a care in the world."

Puff! She's gone.

"Me next! Me next!" says the sales rep. "I want to be in Hawaii, relaxing on the beach with my personal masseuse, an endless supply of Pina Coladas and the love of my life."

Puff! He's gone.

"OK, you're up," the Genie says to the manager.

The manager says, "I want those two back in the office after lunch."

Moral: Always let your boss (or your customer) have the first say.


Lesson #4: Relativity

An eagle was sitting on a tree, resting, doing nothing. A small rabbit saw the eagle and asked him, "Can I also sit like you and do nothing?"

The eagle answered: "Sure, why not."

So, the rabbit sat on the ground below the eagle and rested.

All of a sudden, a fox appeared, jumped on the rabbit and ate it.

Moral: To be sitting and doing nothing, you must be sitting very, very high up.


Lesson #5: Sincerity

A turkey was chatting with a bull. "I would love to be able to get to the top of that tree," sighed the turkey, "but I haven't got the energy."

"Well, why don't you nibble on some of my droppings?", replied the bull. "They're packed with nutrients."

The turkey pecked at a lump of dung, and found it actually gave him enough strength to reach the lowest branch of the tree. The next day, after eating some more dung, he reached the second branch. Finally after a fourth night, the turkey was proudly perched at the top of the tree.

He was promptly spotted by a farmer, who shot him out of the tree.

Moral: BS might get you to the top, but it won't keep you there.


... and if you really thought you could learn to be a manager in five minutes, allow me to suggest that you take my course, "How to Bilk Management of Loads of Cash, the Easy Way", only $5995 for five days....

Tuesday, April 10, 2007 4:16:49 PM (Pacific Standard Time, UTC-08:00)
Comments [9]  |