Today I’m at the Ajax Technologie-Konferenz organized by the internet-efficiency club.
First presentation is about “Cross Site Scripting Brings Web Services to the Browser” from Steffen Meschkat.
My notes:
- moving functionality to the client side - soa: service oriented architecture - result: client side code uses remote services - cross site scripting security! - script can not access content from another site (iframes, xmlhttprequests, cookies) - script can send requests to another site (load iframe, post form, load img) - can almost NOT read the response - cross site scripting attacks are therefore effective (xss attacks) - script elements can be dynamically loaded and executed - script which is loaded on page can load and execute foreign scripts - why is it allowed? - no data - not sensitive data (only code) - only executable, not read - only script is loaded into a script (not HTML) - Advantages of xss - use of xss libraries (such as google maps api) - loads script library from library site, use functionality from provided library therefore - xss services - with callback invocation including result data as arguments from the server - geo coding service launched last monday from google - ie http://maps.google.com/maps/geo?q=zurich&output=json&callback=__geostore.__cg1&key=xxx - response is content of a script element, which is executed with the data as arguments - short demo about xss with local application using google geo coding service
Technorati Tags: ajax, conference, internetefficiencyclub, euroajax, swiss, zurich