Yahoo Mail Worm a Preview of Mashup Security Woes


Presumably most folks have seen about the Yahoo Mail worm that surfaced today.  This was bad enough and an excellent example of the security perils associated with AJAX.

This will get even worse as more and more organizations build so-called mashup sites.  It is bad enough when your organization controls all of the AJAX endpoints your application talks to.  You have enough to worry about writing secure AJAX functions and guarding against cross site scripting attacks on your own application.  With mashups your applications has to pull content from a variety of applications – some created by your organization or under your control, and others from potentially untrusted third parties.  This drastically alters your architecture and requires careful risk analysis if it is going to be done in a secure manner.  There are some slides addressing this issue in my original OWASP San Antonio presentation about AJAX security and sprajax.

Organizations and developers seem to be so enamored with what they can do with AJAX when they should be focused on what they should do.  With great power comes great responsibility…

dan _at_

PS – I am getting close to the next release of sprajax which will have some support for the Google Web Toolkit (GWT).  I have been busy and on the road this week and haven’t had time to get this finished.  I might release some interim code that enumerates the GWT service endpoints but doesn’t yet do the fuzzing.

About Dan Cornell

Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader. Dan has speaks at such international conferences as RSA, ROOTs in Norway and OWASP AppSec EU.

Leave a reply