Denim Group has been acquired by Coalfire. Learn More>>

Yahoo Mail Worm a Preview of Mashup Security Woes

Presumably most folks have seen about the Yahoo Mail worm that surfaced today.  This was bad enough and an excellent example of the security perils associated with AJAX.

This will get even worse as more and more organizations build so-called mashup sites.  It is bad enough when your organization controls all of the AJAX endpoints your application talks to.  You have enough to worry about writing secure AJAX functions and guarding against cross site scripting attacks on your own application.  With mashups your applications has to pull content from a variety of applications – some created by your organization or under your control, and others from potentially untrusted third parties.  This drastically alters your architecture and requires careful risk analysis if it is going to be done in a secure manner.  There are some slides addressing this issue in my original OWASP San Antonio presentation about AJAX security and sprajax.

Organizations and developers seem to be so enamored with what they can do with AJAX when they should be focused on what they should do.  With great power comes great responsibility…

dan _at_

PS – I am getting close to the next release of sprajax which will have some support for the Google Web Toolkit (GWT).  I have been busy and on the road this week and haven’t had time to get this finished.  I might release some interim code that enumerates the GWT service endpoints but doesn’t yet do the fuzzing.

About Dan Cornell

Dan Cornell Web Resolution

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *