from_future_import has a post stating that Fortify’s recent Ajax alarm is more FUD than fact. Money quote in this one:
And MOST importantly the exploit is only applicable to JSON that also happens to be valid JavaScript code.
Was it FUD or fact? A bit of both. The benefit of the paper is the fact that unlike other discussions on these issues, it was written in plain English, diagrammed, and not meant to be understood only by insiders. Perhaps if more Ajax developers would adopt the same approach to documenting issues, concerns, and examples, documents such as that given out by Fortify wouldn’t get the audience.
Or we could all use XML, only (she says as she ducks and runs…)
While I was in the neighborhood, I picked up a couple of other links in comments:
Practical CSRF and JSON Security
An ArsTechnica post on the original article.
(Thanks to Michael Bernstein for link)