Claude,

There is literally nothing (not a single thing) that is "off limits" on the
client side. You cannot trust or believe the browser is in any way shape or
form a secure environment and you must assume that things like cookies can
and will be hacked and experimented with. This is why it is important that
variables be tied to temporary entities on the client side (like expiring
session cookies) as you mention below. Beyond that your conclusions are
correct and scary - but the alternative is probably to close up shop and
move to a cabin in Montana :)

-Mark


-----Original Message-----
From: Claude Schnéegans <schneeg...@internetique.com>
[mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans <schneegans@interneti=71?=
=?ISO-8859-1?Q?ue.com=3E?=] 
Sent: Wednesday, September 03, 2014 10:29 PM
To: cf-talk
Subject: Re: OT, but stil...


 >>They don't call it Malware for nothing

Ok, but if a malware does "mal" to a moron client side, in a pinch, this is
not our problem, but if it can get pass words so easily, it can also do mal
to any server any time.
I just got one tonite that allows itself to define cookies under MY domain!
If it can store cookies, it can also read cookies, including session
cookies!
With the session Id, it does not even need the password.

I'd like to detect all pieces of javascript code defined in a document and
check if they are mine.
I was thinking of document.getElementsByTagName, but I'm not even sure all
parasit code will actually have a <SCRIPT tag.




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359230
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Reply via email to