24 Jan 2008 8:48 AM #1
I'm kind of new to the whole security of my web app business, and I'm a little worried about people being able to access and execute my server-side code without permission (or by tricking someone with permission).
What's to prevent Johnny Malicious from creating a script that uses a ScriptTagProxy to connect to one of my arbitrary server-side code files to perform a malicious task?
I'm in a situation where the user required no login/password, but instead to have entry based around their Windows Authenticated Login. I could make it more difficult for Johnny by simply examining his login versus the permissions of his login, but what's to stop him from sending a link off to Bobby Admin and letting him execute it, etc..
What is the benefit of HttpProxy and Connection which make use of same-origin policy when script kiddies can just use ScriptTagProxy?
Now that I think about it you could, via firebug or fiddler or whatever, just examine the js files downloaded, pick one out (say EditUserPermissions.js), examine that file to find what server-side connection it makes to update the database (say EditUserPermissions.aspx) as well as examine the required params, and type it right into your browser. Johnny would be in the same situation as before where he might need to pass the url off to Bobby Admin, I guess, but it sure seems so easy..