AJAX dan Bug(s)
I decided to put this entry on arahmadi instead of sqvalkic on blogspot.com. With regard to some poorly written AJAX enabled web applications, SQL injection likelihood is increasing.
A flashback to several months before, I advised some holes in a critical web application, used by a national prestigious event. The thing became worst as the application was re-coded and enriched all the time to shut down critics or simply to satisfy some instant ideas! This was a primary cause to hacking as not enough time to review the lines. Nonetheless, some attempts to break in were ended premature due to real time monitoring of logs.
This months, I found several SQL injection vulnerable sites unintentionally, owing to script blocking add-in on my Firefox. Utilizing no-script, or whatever program that stop JavaScript for running automatically, will distract AJAX featured sites. At the same time, feeder pages are transparently popped on the browser. As feeders emerge, we can easily track and probe them for SQL injection. In so doing, to communicate your finding to the legal owner(s) of the web is encouraged. They deserved to know immediately.
Several reasons on why those webs are not hacked yet are:
1. It is simply not worthed to break in, i.e. giving only minimal impact on hacker's recognition.
2. The bug is escaped narrowly for being detected.
Creating AJAX enriched site requires more rigorous scripting. It includes securing client's side JavaScript application, XML feeder, and communication between server and client!
A flashback to several months before, I advised some holes in a critical web application, used by a national prestigious event. The thing became worst as the application was re-coded and enriched all the time to shut down critics or simply to satisfy some instant ideas! This was a primary cause to hacking as not enough time to review the lines. Nonetheless, some attempts to break in were ended premature due to real time monitoring of logs.
This months, I found several SQL injection vulnerable sites unintentionally, owing to script blocking add-in on my Firefox. Utilizing no-script, or whatever program that stop JavaScript for running automatically, will distract AJAX featured sites. At the same time, feeder pages are transparently popped on the browser. As feeders emerge, we can easily track and probe them for SQL injection. In so doing, to communicate your finding to the legal owner(s) of the web is encouraged. They deserved to know immediately.
Several reasons on why those webs are not hacked yet are:
1. It is simply not worthed to break in, i.e. giving only minimal impact on hacker's recognition.
2. The bug is escaped narrowly for being detected.
Creating AJAX enriched site requires more rigorous scripting. It includes securing client's side JavaScript application, XML feeder, and communication between server and client!
Comments