JSON Hijacking and the National Enquirer

A couple of days ago eWeek posted a panic attack here http://www.eweek.com/article2/0,1895,2110554,00.asp?kc=EWEWEMNL040307EP37A that sensationalized a paper that Fortify published here: http://www.fortifysoftware.com/advisory.jsp

I posted a link to the article yesterday – sort of tung in cheek, but decided to wait until I could refer to more information because folks might not intuit my point.

So let me offer this subtle hint: THERE IS NOTHING NEW HERE !

Security companies market themselves by generating press about their research – fair enough.

Tech Media Companies like eWeek naturally sensationalize to keep their readership flowing (the National Enquirer model of Journalism).

Now, it’s not like I don’t take developer security seriously. I spent about 4 of the past 6 years focused mostly on developer security.

But it’s time we fix the perspective a but. Fortify wants to identify the AJAX venders as the source of these security problems. (And not just Microsoft but basically everyone that makes Ajax Software.)

It’s great that security companies are looking at the rapid adoption of Ajax and calling attention to security issues. But, at the risk of sounding redundant …


HTTP & JavaScript have not changed. The possible programming mistakes have not changed. The defensive development practices that mitigate these risks have not changed. Just some of the buzzwords have been added.

ScottGu has replied here to some of the specific call outs in the above referenced article : http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx

Since it seems like there are still a good number of developers that are not yet up to speed on Web Development security and are particularly interested in how these security challenges relate to doing Ajax style programming…….

I’ve been talking to my old security buddy Mark Brown about resurrecting the “Digital Black Belt” Secure Development Series to do an extended “Developing Secure Web Applications with ASP.NET and Microsoft Ajax”.

Please offer your opinions so that I can gage interest.


Comments (3)

  1. Mark Brown says:

    Sounds good to me Joe. Very much want to help developers create killer AJAX applications that are secure as well as show developers the techniques being used today to exploit these new breed of web apps as well as show some new things hackers are doing that devs should all be aware of and help them keep their systems and their data secure.

  2. Hi,

    I think this not new here, properly. It’s a new technology, and it’s necessary to improve.

    In that way, I propose that Microsoft organize one event with their regards that people discover some security ‘s fail.

    Give the community their own responsibility to improve their own destinity.

    Thanks a lot!

    Orlando Agostinho

    Computer Engineer


  3. Andy says:

    I think that this is a great idea. Its important to do as much as possible to try and filter this through to the community – there are too many people who have major misconceptions about .NET, AJAX and security.

Skip to main content