Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Your AJAX App Secure?

Posted by ryuzaki0 on from the something-to-think-about dept.

ShaolinTiger writes "An article looking in detail at some of the security problems with AJAX, how to find them and how to approach them or fix them. Security with AJAX is of course an important consideration as it's asychronous and a malicious user could write data back to your database if implemented incorrectly."

2 of 142 comments (clear)

  1. Re:JUG by stunt_penguin · · Score: 4, Informative

    It should also be possible to add a function that you run for each http request that filters the request for common attacks, and also handles the key the parent talks about.

    So when you're writing a command to make a request, you pass your request into your pre-written function which has any request-related security processes written into it. This way things are reasonably seamless in that you don't have to worry about security every time. I think.

    /relative JS noob who writes a lot of actionscript so therefore *thinks* he knows a language ;o)

    --
    When the posters fear their moderators, there is tyranny; when the moderators fears the posters, there is liberty.
  2. Re:How is this different by stromthurman · · Score: 4, Informative

    You are absolutely correct. The example the author provides of the .len paramter not being checked by the web app is a prime example of the kinds of problems that plague any web application, AJAX or not. Input validation, session validation, user authentication and so forth are required by EVERY web application. This part particularly irritated me:



    If the XmlHttp-interface is merely protected by cookies, exploiting this is all the easier: the moment you get the browser to make a request to that website, your browser is happily sending any cookies along with it.


    That is true of most common methods of session management. For instance, PHP's very own built-in session management, which many people use, uses nothing more than a cookie value to manage the session. If you want to secure any web-app that uses sessions through cookies (again, AJAX or not) you'd better be using an HTTPS connection and cookies that are flagged to only be transmitted across a secure connection, and the author never touches on this point.

    Add to that the whole nonsense about POST being "more secure" or "harder to fake" and it becomes clear that these are the words of a novice web programmer. And clearly this article illustrates nothing more than a web programmer's first experiences with examining the security of a web app.


    But, he's linked to slashdot's main page, with plenty of AdSense links... so good for him.

    --
    I have discovered a truly remarkable sig which this margin is too small to contain.