Malicious Use Of AJAX Technology

Some time ago on DevX I read a story warning for the possible malicious use of AJAX.

Well, as of today the number of Google hits on 'AJAX malicious' will probably explode as someone succeeded in getting hero status on myspace.com by abusing an AJAX-based XSS exploit due to lax security on that website.

Of course, in this case it's an innocent exploit, but we probably can expect more to follow. What I'd like to stress is that there is absolutely nothing wrong with the AJAX technology itself. It's just a new way to use an old trick. The problem in this case was only on partially on myspace's side however: the script writer says browser makers are also to blame. Well, at least one can say that site builders always need to have security on thier minds, but it's also a bit more complicated than that. Anyway, at least web security is getting more and more attention in 2005, which is a good thing.

via 'the Information Security Officer' aka the Chief

update: it turns out this news is already more than 10 days old. Thought I had a scoop for you, but I'm probably the last one to know. Anyway, here is an analysis of the 'worm'

Put Your Del.icio.us Feeds On Your Blog

SUBTITLE: The disadvantage of using too many free services

Lately I've seen a couple of people (well, there were more but I forgot who) asking how they can get their del.icio.us URLs into their blogs automatically. One of the commenters mentioned http://itde.vccs.edu/rss2js/build.php as a page to convert a feed of bookmarks into a javascript file. Subsequently you can put the JavaScript in your sidebar or wherever you like it, and you're done. I don't know about that one, but it might be good. I use another service, with which I'm quite satisfied until now. I post to a 'weblog' category in del.icio.us and the sidebar will display the URLs.

Hmm, well, wait, now that I open up the page where you can generate your JavaScript it says: "Feed Digest has launched. RSS Digest is deprecated". OK, the *huge* disadvantage of using several of there free services, is that they tend to change/disappear on a general basis. Well, my javascript still works, but it seems you'll have to go to and try iut yourself.

Hmm2, they have only 'softlaunched' so far. Guess it means the're still in beta. Means I'm going to wait until I change the script myself. Never change a working script.

Regular Expressions *Can* Be Your Friend If You Treat Them Well

Regular expressions always look like Perl to me... Incomprehensible.

Today I was looking for a way to handle some URLs in text to be displayed on a webpage. This specific webpage is fed some old input containing web links which could not be changed. The not-too-difficult task ahead was to change these old URLs which are set up according to a predictable scheme in such a way that they automatically appear allright on the new page according to the new scheme (the old text could just not be changed with a Find-And-Replace action because it still must be available for the old application). It was some time since I last used regexps and I can say I learned what is a greedy regular expression by working with one :)

The expression "/pathtourl/.*?/" did the trick. A first attempt did not include the ?, leading to a greedy expression. It keeps on searching for the last / character it can find. In my case that's normally the one in the anchor closing tag </a>. That way the complete URL plus the part between the tags up and until '</' is replaced, leading to some very invalid HTML.

So, as I mentioned the '?' did the trick..... However: I found not all URLs in the text always adhered to this principle. Some did not have a second '/' in the URL, leading to the same situation as described above :)

Sometimes I feel like a bad bugfixer when creating Regexps: fix the expression and see another bug popping up...