XSS holes on dapper.net 0

Dapper is a web service which provides webservice creation on the fly. You can create your own APIs, feed etc. by just meshing selected areas from different websites. It is pretty similiar to Yahoo Pipes. Switch/Twitch already pointed out, that dapper completely breaks the same origin policy, which is the basic security concept for rich web applications (it is partly broken by Flash anyway, but this is written on another sheet of paper). But even worse, dapper itself was vulnarable against XSS injections which I found out two weeks ago. The vendor replied quickly and fixed the issues I had demonstrated. The combination of breaking the same origin policy and vulnarabilities on dapper is pretty dangerous. Hopefully the developers really know that they are playing with fire.

Filed on 20-06-2007, 20:08 under , , , , & no comments & no trackbacks