lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 6 May 2010 13:46:08 -0400
From: T Biehn <tbiehn@...il.com>
To: Elazar Broad <elazar@...hmail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: JavaScript exploits via source code disclosure

A proxy or 'web-service firewall' prior to the 'protected' web service is
the correct answer.

Obfuscating the client code be it JavaScript, Interpreted (Java, CLR, etc)
or Native ignores the notion that the client controls hardware, OS, the
executing process and the network.

Signals can be intercepted at any layer.

Any other assertion is ridiculous and a waste of time and effort.

-Travis

On Thu, May 6, 2010 at 1:08 PM, Elazar Broad <elazar@...hmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Unless you wrap your service methods with some form of an
> authentication, your webservice's are just as public as any other
> "world" accessible part of your site. Are the pages calling these
> services behind any sort of authentication?
>
> On Thu, 06 May 2010 01:44:07 -0400 Ed Carp <erc@...ox.com> wrote:
> >We've got a lot of JQuery code that calls back-end web services,
> >and
> >we're worried about exposing the web services to the outside world
> >-
> >anyone can "view source" and see exactly how we're calling our web
> >services.
> >
> >Are there any suggestions or guidelines regarding protecting one's
> >source from such disclosure?  Thanks in advance!
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 3.0
>
> wpwEAQECAAYFAkvi93MACgkQi04xwClgpZjfcgP/d0S5hyRlsAypsOue6A6HVLMpvTXT
> S3LyNJGpmoMcKAVRldWuIz5kP3dQ3BIHJEEdC1qKLwtSOEgAlxM/1XkMR7zhi4qJUzp0
> a2LisyC8k2xgWIYSfmiqG//tDWzME4EeYHZiGo0iK0fDPLLSwnad9+aeEdRdNI2vmfIc
> N6eQJeo=
> =4zuK
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ