| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 06 May 2010 13:59:44 -0400 From: "Elazar Broad" <elazar@...hmail.com> To: tbiehn@...il.com Cc: full-disclosure@...ts.grok.org.uk Subject: Re: JavaScript exploits via source code disclosure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If his users are authenticated via say regular form login, he can pass some sort of hash which identifies the user and session to the service, with the authentication wrapper being server side, which begs the question, do you trust your users... How would such a firewall work/help anyway? It still has to make some sort of authorization decision, and if the services in question are not called by pages that are login protected, your back to square one. How do you pass some sort of 'I know this is the page calling me and not the attacker' without the client seeing that too? elazar On Thu, 06 May 2010 13:46:08 -0400 T Biehn <tbiehn@...il.com> wrote: >A proxy or 'web-service firewall' prior to the 'protected' web >service is >the correct answer. > >Obfuscating the client code be it JavaScript, Interpreted (Java, >CLR, etc) >or Native ignores the notion that the client controls hardware, >OS, the >executing process and the network. > >Signals can be intercepted at any layer. > >Any other assertion is ridiculous and a waste of time and effort. > >-Travis > >On Thu, May 6, 2010 at 1:08 PM, Elazar Broad <elazar@...hmail.com> >wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Unless you wrap your service methods with some form of an >> authentication, your webservice's are just as public as any >other >> "world" accessible part of your site. Are the pages calling >these >> services behind any sort of authentication? >> >> On Thu, 06 May 2010 01:44:07 -0400 Ed Carp <erc@...ox.com> >wrote: >> >We've got a lot of JQuery code that calls back-end web >services, >> >and >> >we're worried about exposing the web services to the outside >world >> >- >> >anyone can "view source" and see exactly how we're calling our >web >> >services. >> > >> >Are there any suggestions or guidelines regarding protecting >one's >> >source from such disclosure? Thanks in advance! >> > >> >_______________________________________________ >> >Full-Disclosure - We believe in it. >> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >Hosted and sponsored by Secunia - http://secunia.com/ >> -----BEGIN PGP SIGNATURE----- >> Charset: UTF8 >> Note: This signature can be verified at >https://www.hushtools.com/verify >> Version: Hush 3.0 >> >> >wpwEAQECAAYFAkvi93MACgkQi04xwClgpZjfcgP/d0S5hyRlsAypsOue6A6HVLMpvTX >T >> >S3LyNJGpmoMcKAVRldWuIz5kP3dQ3BIHJEEdC1qKLwtSOEgAlxM/1XkMR7zhi4qJUzp >0 >> >a2LisyC8k2xgWIYSfmiqG//tDWzME4EeYHZiGo0iK0fDPLLSwnad9+aeEdRdNI2vmfI >c >> N6eQJeo= >> =4zuK >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > >-- >FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C >http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerpr >int=on >http://pastebin.com/f6fd606da -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkvjA5AACgkQi04xwClgpZhv5QP9HcdmzyQZwYcvEtMbAWWBytvRpw6d mKENP9+wWTQphXcWoaQaf1cbKwnISfCkbzSvF1pKV61QyDLDlxocYQ5sNvAjthW2yHkS N8Kq7Bod0jpfl1CZcZy3RCs3Fju+DQPBvhCJ56wGAwhzBtPvHerSGXFx3dVPYIxV9Cfb Qu/5NV8= =Ixct -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists