JSON Hijacking and the National Enquirer

  • Article

A couple of days ago eWeek posted a panic attack here https://www.eweek.com/article2/0,1895,2110554,00.asp?kc=EWEWEMNL040307EP37A that sensationalized a paper that Fortify published here: https://www.fortifysoftware.com/advisory.jsp

I posted a link to the article yesterday – sort of tung in cheek, but decided to wait until I could refer to more information because folks might not intuit my point.

So let me offer this subtle hint: THERE IS NOTHING NEW HERE !

Security companies market themselves by generating press about their research – fair enough.

Tech Media Companies like eWeek naturally sensationalize to keep their readership flowing (the National Enquirer model of Journalism).

Now, it’s not like I don’t take developer security seriously. I spent about 4 of the past 6 years focused mostly on developer security.

But it’s time we fix the perspective a but. Fortify wants to identify the AJAX venders as the source of these security problems. (And not just Microsoft but basically everyone that makes Ajax Software.)

It’s great that security companies are looking at the rapid adoption of Ajax and calling attention to security issues. But, at the risk of sounding redundant …

THERE IS NOTHING NEW HERE !

HTTP & JavaScript have not changed. The possible programming mistakes have not changed. The defensive development practices that mitigate these risks have not changed. Just some of the buzzwords have been added.

ScottGu has replied here to some of the specific call outs in the above referenced article : https://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx

Since it seems like there are still a good number of developers that are not yet up to speed on Web Development security and are particularly interested in how these security challenges relate to doing Ajax style programming…….

I’ve been talking to my old security buddy Mark Brown about resurrecting the “Digital Black Belt” Secure Development Series to do an extended “Developing Secure Web Applications with ASP.NET and Microsoft Ajax”.

Please offer your opinions so that I can gage interest.

Joe