snellspace.com

Rob Yates: “A user logs into a wiki on the corporate intranet. This wiki provides a JSON api with a callback function (Approach 3). The user then visits a rogue site on the internet. The page from the rogue site, when rendered in the user’s browser, performs a javascript include to the wiki’s json api passing a callback function. This results in data from the wiki being made available to the rogue site’s javascript function in the page via the callback. Further javascript, on the page, can then form POST the data back to the rogue site and as such the data can be stolen. Not good.“

This entry was posted on Thursday, March 1st, 2007 at 10:48 pmand is filed under Technology, dW.
You can follow any responses to this entry through the Atom Comments feed. Responses are currently closed, but you can trackback from your own site.