Now what this means is that with a bit of basic coding, maybe something as simple as doing a loop on http://10.0.0.1/feed and just upping the ip address you might be able to get hold of internal feeds and then submit that content externally. Because the javascript is living in the browser there is no security around the retrieval or submission, because the users SSO will get them internally and they are already sorted on their company proxy.http://www.blogger.com/img/gl.link.gif
As more platforms support "standard" RSS & Atom feeds for information which have standard URI names then the ability of such hunt and find techniques will be much more effective, and because you can use a remote script load approach you can keep your cracking script up to date based on what is working and what is not.
IBM have a good article that goes into the challenges of javascript (and the script tag) and security and what this means for mashups.
Technorati Tags: Javascript, Security
No comments:
Post a Comment