Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Topics
Guidelines from OWASP Guidelines from Douglas Crockford Security threats (in Ajax environment)
10
11
12
13
15
there is nothing dangerous in the text. > The next edition of JavaScript will have parseJSON built in. For now, you can get parseJSON at http://www.JSON.org/json.js.
On the server side, always use good JSON encoders and decoders. 16
Script Tags
Script tags are exempt from the Same Origin Policy. That means that any script from any site can potentially be loaded into any page. There are some very important consequences of this. Any page that includes scripts from other sites is not secure. External scripts can be used to deliver ads or search result options, or logging, or alerts, or buddy lists, or lots of other nice things. Unfortunately, the designs of JavaScript and the DOM did not anticipate such useful services, so they offer absolutely no security around them. Every script on the page has access to everything on the page.
17
Universal XSS
Exploits flaws of browsers
19
built
20
Questions?