0
application, in the case of a framework that has been selected to convert an existing
application, the framework chosen will walk through the entire supplied source tree.
The framework will then generate the new application based off that source tree. The
problem that can arise from this is that in some cases, developers will rely on hidden
URLs to perform administrative functions. Similar to the internal methods and debug
functionality exposures, developers are able to get away with this in Web 1.0??“style
applications in which the attacker would have to brute-force every possible URL to look
for the URL. However, since the Web 2.0 framework knows about the full source tree
(including the previously hidden URLs), these URLs can leak out in the JavaScript sent
to the client.
Full Functionality
While not a security issue in itself, full functionality exposure deserves a discussion
because of its potential security impact. As discussed previously with other exposure
classes, when a user visits a web application that has been migrated to a Web 2.0 style??“
application, he or she is usually sent a set of JavaScript files that contain the full
functionality of the web application.
Pages:
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351