Re: [WEB SECURITY] The state of JavaScript Hacking



Mozilla with their XUL makes attackers life so much easier. It is not
that the Mozilla browser is vulnerable to any specific type of attack
but the past has already proved many times that eventually someone
will find an issue with the architecture. Then people will find the
same mistake in other places. The Mozilla XUL is considered a true RIA
(Rich Internet Application) platform that is currently the base of
many open source products. All of them support JavaScript, CSS, Flash
(if installed) and Java (if installed). If the developers of these
applications don't have deep understandings of the security
implications of the Mozilla platform the WEB will become suddenly very
dangerous place for them.

Last but not least we have Microsoft with their XAML and WPF (Windows
Presentation Foundation). I am sure that not that many people have
heard of these technologies so let me explain what they are in brief.
They are the Microsoft's way to do RIA. The only thing is that they
relay on .NET3 which makes them explicitly for Windows. I am not sure
what is the state of the MONO project though.

WPF will allow you to build Rich Internet Applications with XML, CSS
and .NET. .NET supports many languages one of which is JavaScript. Try
to do some coding in ASP and you will see that it feels the same as
browser JavaScript. This is JavaScript on the server, the browser and
the desktop. It enables web worms and future high-end attackers to a
degree hardly imaginable by anyone today.


I've been waiting awhile to see someone talk about this! :)

It is good to hear some conversation about XUL and WPF/XAML as these kinds of applications/technologies will change
the way we use the web. For those who know nothing about these technologies picture a windows application running
inside of your browser having the same look/feel as a non web application (a pretty applet). One of the initial concerns involves
the users inability to 'be aware of' application changes initiated potentially via XSS or other types of script injection.
One could XSS a site, change the URL to the sites RIA application to their own, and potentially act as a proxy with
the real application without the users knowledge. Does anyone know of any decent links/tutorials on signing XUL/WPF/XAML apps
to prevent such situations?

One of the neat .NET 3.0 features allows a developer to at compile time decide if an application is web based or standalone. So
for those of you who have written applets instead of modifying code you just change a compile time option.

"Finally, it is worth noting that Windows executables can be hosted in a window (by default) as well as in the browser. In both cases, the code remains the same and only needs to be compiled again with a different project property.
"
- http://msdn.microsoft.com/msdnmag/issues/04/01/DevelopingAppsforLonghorn/


Additional reading for those interested
http://blogs.msdn.com/mharsh/archive/2006/03/23/559106.aspx
http://msdn2.microsoft.com/en-us/library/ms746927.aspx

Sample applications:
http://www.charlespetzold.com/wpf/

- zeno
http://www.cgisecurity.com Website Security news and more!
http://www.cgisecurity.com/index.rss [RSS Feed]



Relevant Pages

  • Re: Delphi - desktop, Web, or USB?
    ... something has to run these web applications as well. ... browser, using Java to provide the programmatic stuff (or use some ... A Windows Media Player replacement? ... I have Open Office running off my USB drive. ...
    (borland.public.delphi.non-technical)
  • Re: Clear all optgroups and options from a select list
    ... who should be allowed to work on web applications by being handled "all ... for making windows, making objects draggable, a hello ... fashion and the AJAX buzzword. ... responsive in either major browser. ...
    (comp.lang.javascript)
  • Delphi - desktop, Web, or USB?
    ... Email and office applications can been replaced for smaller ... I've used both, and had some fun with the various Google bits and bobs, and although they will get the job done, they are annoyingly slow at times, and have a distinctly clunky (almost Windows 3.1) look and feel to them. ... The implication of this line of argument is that the multiple gigabytes of Vista and Mac OSX are completely unnecessary - all you need is a Web browser and an ultra-light kernel to host it on - something to look after the screen, ... Just how realistic is it to run an application like Word 2007, or Photoshop, from a USB stick on any computer you happen to be near, without touching the registry or "installing" anything? ...
    (borland.public.delphi.non-technical)
  • Re: Default application. How to?
    ... >>I want an http:// link from various applications like Thunderbird, ... >>of the browser being running or not. ... mozilla version I have, so its just a version alternative. ... Epiphany for http:// links. ...
    (Debian-User)
  • Re: [WEB SECURITY] The state of JavaScript Hacking
    ... that the Mozilla browser is vulnerable to any specific type of attack ... The Mozilla XUL is considered a true RIA ... Last but not least we have Microsoft with their XAML and WPF (Windows ... WPF will allow you to build Rich Internet Applications with XML, ...
    (Pen-Test)