10-04-07

The problem with online javascript

Javascript is a very powerful scripting language that with some 'hacking' you can ask to do anything you (and the hacker) dreams about. Many of the XSS attacks against popular websites are based on this premise. You can install code on a machine, redirect the machine to another website, disable programs etc....  It is for this reason very questionable to let your users use anything other than real text when they make pages or comments on your website.

 

Ebay had another XSS attack based upon this javascript trick. The hole is closed by now and Ebay says it is monitoring the situation and that is has blocked now the redirect function in javascript, but the real question is : why should people be allowed to play with javascript on your website ? Especially if money is involved ?

15:12 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.