Insecure Web

Mauvis Ledford JavaScript, Web Security JavaScript, Web Security

In the previous post, Bryan showed you how to prevent a JSON payload to be rendered across domains by simply adding a string of text at the beginning of the payload that either 1) invalidates it (script tags are only allowed to pull in valid JavaScript before they do anything) or 2) creates an infinite loop so the rest of your script never executes.

More issues

While this is a good way to effectively protect an attacker from pulling information they’re not supposed to access, what about pushing information or executing commands via POST / *GET? In this case it doesn’t really matter if the attacker can access the HTTP response or not – the attackers request has already executed and the response (success or failure) is relatively unimportant. Any potential damage has already been done. Read more…

Mauvis Ledford Web Security JavaScript, web application security