Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: JavaScript exploits via source code disclosure
From: "Elazar Broad" <elazar () hushmail com>
Date: Thu, 06 May 2010 13:59:44 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If his users are authenticated via say regular form login, he can
pass some sort of hash which identifies the user and session to the
service, with the authentication wrapper being server side, which
begs the question, do you trust your users...

How would such a firewall work/help anyway? It still has to make
some sort of authorization decision, and if the services in
question are not called by pages that are login protected, your
back to square one. How do you pass some sort of 'I know this is
the page calling me and not the attacker' without the client seeing
that too?

elazar

On Thu, 06 May 2010 13:46:08 -0400 T Biehn <tbiehn () gmail com> wrote:
A proxy or 'web-service firewall' prior to the 'protected' web
service is
the correct answer.

Obfuscating the client code be it JavaScript, Interpreted (Java,
CLR, etc)
or Native ignores the notion that the client controls hardware,
OS, the
executing process and the network.

Signals can be intercepted at any layer.

Any other assertion is ridiculous and a waste of time and effort.

-Travis

On Thu, May 6, 2010 at 1:08 PM, Elazar Broad <elazar () hushmail com>
wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Unless you wrap your service methods with some form of an
authentication, your webservice's are just as public as any
other
"world" accessible part of your site. Are the pages calling
these
services behind any sort of authentication?

On Thu, 06 May 2010 01:44:07 -0400 Ed Carp <erc () pobox com>
wrote:
We've got a lot of JQuery code that calls back-end web
services,
and
we're worried about exposing the web services to the outside
world
-
anyone can "view source" and see exactly how we're calling our
web
services.

Are there any suggestions or guidelines regarding protecting
one's
source from such disclosure?  Thanks in advance!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at
https://www.hushtools.com/verify
Version: Hush 3.0


wpwEAQECAAYFAkvi93MACgkQi04xwClgpZjfcgP/d0S5hyRlsAypsOue6A6HVLMpvTX
T

S3LyNJGpmoMcKAVRldWuIz5kP3dQ3BIHJEEdC1qKLwtSOEgAlxM/1XkMR7zhi4qJUzp
0

a2LisyC8k2xgWIYSfmiqG//tDWzME4EeYHZiGo0iK0fDPLLSwnad9+aeEdRdNI2vmfI
c
N6eQJeo=
=4zuK
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerpr
int=on
http://pastebin.com/f6fd606da
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkvjA5AACgkQi04xwClgpZhv5QP9HcdmzyQZwYcvEtMbAWWBytvRpw6d
mKENP9+wWTQphXcWoaQaf1cbKwnISfCkbzSvF1pKV61QyDLDlxocYQ5sNvAjthW2yHkS
N8Kq7Bod0jpfl1CZcZy3RCs3Fju+DQPBvhCJ56wGAwhzBtPvHerSGXFx3dVPYIxV9Cfb
Qu/5NV8=
=Ixct
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]