@prefix rdf: . @prefix ns1: . @prefix sioc: . ns1:this rdf:type sioc:User . @prefix ns3: . @prefix foaf: . ns3:this rdf:type foaf:Person . @prefix rdfs: . @prefix ns6: . ns3:this rdfs:seeAlso ns6:ondras . @prefix atom: . rdf:type atom:Feed . @prefix sioct: . rdf:type sioct:Weblog ; rdfs:label "Ondrej Zara's Weblog" ; rdf:type sioct:BlogPost , atom:Entry ; sioc:link ; sioc:has_creator ns1:this ; sioc:has_container . @prefix dt: . @prefix dcterms: . dcterms:created "2007-04-04T04:06:00-04:00"^^dt:dateTime ; dcterms:modified "2007-05-27T18:43:24-04:00"^^dt:dateTime ; atom:title "OAT and JS Hijacking" ; atom:author ns3:this ; atom:published "2007-04-04T08:06:00Z" ; atom:updated "2007-05-27T22:43:24Z" . @prefix dc: . dc:title "OAT and JS Hijacking" ; sioc:links_to . @prefix ns12: . sioc:links_to ns12:towards-secure-ajax-mashups , . @prefix ns13: . sioc:topic ns13:security , ns13:json , ns13:oat , ns13:ajax ; rdfs:label "OAT and JS Hijacking" ; foaf:maker ns3:this ; sioc:content "\n <div class="moz-text-flowed" style="font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 13px;" lang="x-western">There has been some <a href="http://ajaxian.com/archives/towards-secure-ajax-mashups">recent</a> <a href="http://www.networkworld.com/news/2007/040207-javascript-ajax-applications.html">buzz</a> regarding security issues of Web 2.0 sites. I decided to thoroughly study and analyze how this works, manifests and influences JS toolkits.<br /> <br />The best approach here is to study whitepaper located at\u00A0 <a class="moz-txt-link-freetext" href="http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf">http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf</a>. One can find a typical attack scenario, some defense suggestions and security considerations. While the paper is (in my opinion) oversized, telling rather small amount of facts on large amount of pages, it contains some interesting information. Let me share how all this relates to OAT.<br /> <br />First of all, I must conclude that none of OAT-based apps is vulnerable to mentioned attacks, for two reasons: <br /> <ol> <li>attacks are only appliable in JSON documents, fetched via GET method. Our OAT apps use XML format, requested with POST (via XML/A - SOAP).</li> <li>attacks are only appliable when security tokens (i.e. user name, password) are passed via browser cookie. This is not our case, since we pass these in POST request&#39;s body. <br /> </li> </ol>However, we might take into consideration the fact that OAT can be used for building different applications. So I added some low-level support for security countermeasures mentioned in the PDF document. Specifically (as a client-side only toolkit), the following two methods: <br /> <br />\u00A0 a) cookie-based secret, passed as URL parameter in GET requests. So every OAT.AJAX.GET invocation will <ul> <li>set a cookie called &#39;oatSecurityCookie&#39; to some random value</li> <li>add &#39;oatSecurityCookie=xxx&#39; to URL string, where xxx equals to the random value mentioned above.\u00A0</li> </ul>\u00A0 b) enhanced JSON parser with smarter text analysis, effectively filtering out <br /> <ul> <li>comments (at the beginning and end of JSONified text)</li> <li>the &#39;while(1);&#39; trap, situated at the beginning of received text <br /> </li> </ul> Both methods are now mentioned in the OAT documentation. Of course, applying OAT eqipped with these countermeasures doesn&#39;t make (yet) your app secure: one must explicitely use one (or both) methods on server side, to complement OAT&#39;s security features.<br /> <br /> To sum this up - OAT is now providing a maximum support for securing GETting JSONified data. It is up to user whether he wants to take advantage of this. We are - as (nearly) always - ready :)<br />\n<br /> </div> \n" ; sioc:id "01cbcc6675bdbc6bc2f3c8d0efe043c5" ; atom:source . @prefix ore: . ore:isDescribedBy . @prefix moat: . ns13:ajax rdf:type moat:Tag . @prefix scot: . ns13:ajax rdf:type scot:Tag . ns13:json rdf:type scot:Tag , moat:Tag . ns13:oat rdf:type scot:Tag , moat:Tag . ns13:security rdf:type scot:Tag , moat:Tag .@prefix rdf: . @prefix ns1: . @prefix sioc: . ns1:this rdf:type sioc:User ; sioc:creator_of . @prefix ns3: . @prefix foaf: . ns3:this rdf:type foaf:Person . @prefix rdfs: . @prefix ns6: . ns3:this rdfs:seeAlso ns6:ondras ; foaf:made . @prefix sioct: . rdf:type sioct:Weblog . @prefix atom: . rdf:type atom:Feed ; sioc:container_of ; rdfs:label "Ondrej Zara's Weblog" ; atom:contains ; atom:entry . @prefix ns9: . @prefix scot: . ns9:ajax rdf:type scot:Tag . @prefix moat: . ns9:ajax rdf:type moat:Tag . @prefix skos: . ns9:ajax skos:isSubjectOf . ns9:json rdf:type scot:Tag , moat:Tag ; skos:isSubjectOf . ns9:oat rdf:type scot:Tag , moat:Tag ; skos:isSubjectOf . ns9:security rdf:type moat:Tag , scot:Tag ; skos:isSubjectOf .