R in CRUD - where is the line between function vulnerability and disclosure?

Question

R in CRUD - where is the line between function vulnerability and disclosure?

We all know how to make our Ajax calls using address routing and HTTP-Get with parameters in the URL, because the client side can cache these calls, and therefore server load is reduced, but where do you guys think Does the line lie between a "neat way to solve problems" and a "disclosure vulnerability"? I will give some examples -

Let's say I'm on my banking site. In the background, my browser is HTTP-Getting to / onlinebanking / AForster / transactions. Of course, I am very paranoid about people who know their login ID in a bank account, so I always make sure that "remember me" is not verified. However, is the fact that my browser accessed the URL with my login ID is a disclosure vulnerability?

How about if I'm on a forum and I read a limited thread that ordinary users should not know. My browser receives the contents of the stream by doing HTTP-Get to / forum / Secret-Board / Im-Going-To-Kill-My-Brother / posts. Is the fact that I even accessed this URL with Ajax somehow reveal the existence of this stream to my brother?

Etc etc. You can probably think of more scenarios. I really want to use client-side Ajax call caching, but in these cases was Ajaxing for these URLs considered a disclosure vulnerability?

+3

security ajax caching url-routing crud

Alex forster 30 sept '09 at 21:08

source share

5 answers

- .

/forum/Board-214/Thread-5625/posts - .

, , .

, URL- AJAX, ?

0

SLaks 30 . '09 21:14

, , , .. ( , , , , , , ...).

, , - - "" . " ", ? , , . , , , , - .

, , AJAX , .

0

AviD 30 . '09 21:20

URL- -, , , .

. (!) , URL- , . .

" , ". , ? , URL-, . URL- - /forum/thread/12345/.

, CRUD, AJAX , . , , "".

0

John Millikin 30 . '09 21:22

, ! , , , , OpenID.

, . , , , - HTTP/JSON. , -. , URL-, , GET, . , , , - RESTful ( , CRUD), . , - , , .

, , , Ajax iframe URL- , . , XHR , , . XSS ; , URL-. - , "AForster", /-/AForster/ , .

, , , GET, , , TLS . , , URL-. , : 1) -, 2) websense 3) VPN. , - , , URL-, , - CMS//---/--/, - -. , , , .

0

Alex 01 Oct '09 at 2:42

source share

Anthony · Accepted Answer · 2009-09-30T21:55:27+0000

So, you raise a couple of points that I’d like to know more about, but I’ll try my best to at least display things ...

Your browser caches URLs that have sensitive / secure information in transit, leaving a potential window for your personal information to others. Effects:

- , , , , - - XSS URL- javascript.

, , , :

, , -. . Firefox, " ", , . , , , , ..
(, , ) .
- EVER URL- . , . , ( 2). : /onlinebanking/UserServices/transactions URL- RESTful , IP, (mod_auth ). , " " " ". LOTS. HP, 6 , , 10 js script (.: Yahoo! Mail) , , , , .

, .

URL-? . , xxx, (? ! Yay privacy!) RESTfulness, , . , iamgoingtokillhimtonight/posts URL-, ... ... .

:

, URL- , , , . , , , , - , , --. - URL-, script ? . , , , , . , . - js , , URL- , URL-, URL-, XSS . , , , cookie ( cookie , ). , pre-AJAX:

.
- , nonces .

, XSS ( ) ( ) . XSS . - , - . , , , , , - URL-, - Forester. , .

, , :

RESTfulness AJAX , , -, , . , URL- RESTful , , ; , , , , .

, . .

R in CRUD - where is the line between function vulnerability and disclosure?

More articles: