Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Your AJAX App Secure?

Posted by ryuzaki0 on from the something-to-think-about dept.

ShaolinTiger writes "An article looking in detail at some of the security problems with AJAX, how to find them and how to approach them or fix them. Security with AJAX is of course an important consideration as it's asychronous and a malicious user could write data back to your database if implemented incorrectly."

4 of 142 comments (clear)

  1. How is this different by El_Muerte_TDS · · Score: 5, Insightful

    How is this different from securing a "normal" dynamic website?

    1. Re:How is this different by grazzy · · Score: 5, Insightful

      There was a new buzzword in the middle of the sentence.

  2. Isn't that always a threat? by MikeRT · · Score: 4, Insightful

    Hasn't the threat of a SQL injection always been a threat, dating back to the pre-AJAX days of development? Why is this even news? Proper error handling and input checking should be enough to minimize these problems.

  3. semantics of GET and POST by pikine · · Score: 4, Insightful

    Your remark really concludes this topic, and I think any further remarks are redundant. I just want to point out that in the HTTP specification (RFC 2616) section 13.9, it says the following about GET requests:

    Unless the origin server explicitly prohibits the caching of their responses, the application of GET and HEAD methods to any resources SHOULD NOT have side effects that would lead to erroneous behavior if these responses are taken from a cache.

    And in section 9.5, about POST requests:

    Responses to this method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields.

    Thus, the only semantic difference between GET and POST is only on side effects. There is no sense in saying one is more secure than another, or one is easier to fake than another.

    If we think of a web server as a function, GET requests means that, let y1 = f(x1) and y2 = f(x2), then x1 = x2 implies y1 = y2. POST requests means there exists y1 and y2, y1 != y2, such that y1 = f(x) and y2 = f(x) for some two applications of f with x. Here y, y1 and y2 are the "web pages" (more generally, resources), and x1, x2, x are the HTTP requests.

    Of course, for a practical, dynamic website, the functional property does not usually hold, and that's why we have "cahce control", which attempts to establish what functional property holds under certain conditions.

    --
    I once had a signature.