TTBSP BETA Foundations of Ajax 
Add an example |
Fortify mentioned this book during RSA as teaching insecure practices through examples that prove vulnerable to exploitation. We decided to start with this book and found several examples of vulnerable code samples. Most were HTML context XSS vulns, but one was used in the JavaScript context in JSON messaging. "Since the code samples (in the book) are likely to be regarded as a best-practices guide, many software developers worldwide will learn insecure coding habits," Chess said. Ryan Asleson, one of the authors of "Foundations of Ajax," said he had not heard of the alleged flaws in the sample code. However, he said, if those problems do exist, it is possible, because the code was kept as simple for a large audience. "We never intended the code that's in there to actually be production-ready code," he noted. http://www.zdnetasia.com/news/internet/0,39044246,39378888,00.htm This is the first example of code that is vulnerable to XSS: //Get the user's input This simple exploit will demonstrate the vulnerability: This code uses OWASP's ESAPI to encode the user's input in the proper context: //Get the user's input //Create the response text 1234 |