I just have to add a quick note here – I love the way Coherence in Parallels works! The fastest way I’ve found to test pages in multiple browsers. You’ll notice I’m testing a page in OS X in Firefox, Safari and Opera, while also testing in Win XP in Firefox, Opera and IE 7. It helps having the Windows apps show up in the dock, too.

Buzz This Post Delicious Digg This Post Ping This Post Reddit Stumble This Post

A white paper from Fortify Software outlines a major Web 2.0 Vulnerability. According to the white paper, all current frameworks that use JSON for data communications are vulnerable. They have released the information to all the major framework developers so that this can be addressed within the AJAX frameworks. They noted, however, that one quarter of the participants in an AJAX survey hosted by Fortify did not use any framework at all. Fortify recommend a two-pronged mitigation approach:

• Include a hard-to-guess identifier, such as the session identifier, as part of each request that will return JavaScript. This defeats cross-site request forgery attacks by allowing theserver to validate the origin of the request.
• Include characters in the response that prevent it from being successfully handed off to a JavaScript interpreter without modification. This prevents an attacker from using a <script> tag to witness the execution of the JavaScript.

Computer Business Review has a more extensive write-up available.

Technorati Tags: AJAX, Web 2.0, JavaScript hijacking

Buzz This Post Delicious Digg This Post Ping This Post Reddit Stumble This Post