[Owasp-dotnet] Re: [SC-L] Is there any Security problem in Ajax technology?

[Andrew van der Stock]

Yes! :)

I am speaking at the OWASP EU conference in Belgium (I hope people  
speak English 'cos my French is now quite appalling) at the end of  
May, and I have a paper submission for O'Reilly's OSCON in early  
July. I am still mulling over whether to submit a proposal to  
BlackHat as although I love junkets, I can't do too many - I have to  
work as well :)

Next, once the chapter is released, it will be a major new addition  
to the OWASP Guide 2.1, and I'm sure we'll be doing something about  
promoting it at that point.

There's not really any technology required to secure Ajax; it's all  
about the architecturally correct location of authorization,  
validation and preventing injection attacks. There's no magic  
technical bullet, WAF, or similar which can help fix these things.

The issues with Ajax aren't really new, it's just that devs are  
introducing new classes of vulnerability because they have forgotten  
the hard lessons learnt in the past.

thanks,
Andrew

On 15/03/2006, at 12:33 PM, Eric Swanson wrote:

> My question: How does OWASP plan to educate the public regarding  
> security
> concerns raised by AJAX and, indeed, any new methodology or  
> technology and
> what is its plan to develop tools that translate this education into
> practice?  *AJAX and related methodologies should be addressed by  
> all groups
> within OWASP, so I'm guessing that the .NET group isn't the only group
> actively discussing it.  (AFLAX - a Flash version also raises the same
> concerns.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2234 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20060315/9effd791/attachment.bin