Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Your AJAX App Secure?

Posted by ryuzaki0 on from the something-to-think-about dept.

ShaolinTiger writes "An article looking in detail at some of the security problems with AJAX, how to find them and how to approach them or fix them. Security with AJAX is of course an important consideration as it's asychronous and a malicious user could write data back to your database if implemented incorrectly."

7 of 142 comments (clear)

  1. How is this different by El_Muerte_TDS · · Score: 5, Insightful

    How is this different from securing a "normal" dynamic website?

    1. Re:How is this different by grazzy · · Score: 5, Insightful

      There was a new buzzword in the middle of the sentence.

    2. Re:How is this different by stromthurman · · Score: 4, Informative

      You are absolutely correct. The example the author provides of the .len paramter not being checked by the web app is a prime example of the kinds of problems that plague any web application, AJAX or not. Input validation, session validation, user authentication and so forth are required by EVERY web application. This part particularly irritated me:



      If the XmlHttp-interface is merely protected by cookies, exploiting this is all the easier: the moment you get the browser to make a request to that website, your browser is happily sending any cookies along with it.


      That is true of most common methods of session management. For instance, PHP's very own built-in session management, which many people use, uses nothing more than a cookie value to manage the session. If you want to secure any web-app that uses sessions through cookies (again, AJAX or not) you'd better be using an HTTPS connection and cookies that are flagged to only be transmitted across a secure connection, and the author never touches on this point.

      Add to that the whole nonsense about POST being "more secure" or "harder to fake" and it becomes clear that these are the words of a novice web programmer. And clearly this article illustrates nothing more than a web programmer's first experiences with examining the security of a web app.


      But, he's linked to slashdot's main page, with plenty of AdSense links... so good for him.

      --
      I have discovered a truly remarkable sig which this margin is too small to contain.
  2. Re:JUG by stunt_penguin · · Score: 4, Informative

    It should also be possible to add a function that you run for each http request that filters the request for common attacks, and also handles the key the parent talks about.

    So when you're writing a command to make a request, you pass your request into your pre-written function which has any request-related security processes written into it. This way things are reasonably seamless in that you don't have to worry about security every time. I think.

    /relative JS noob who writes a lot of actionscript so therefore *thinks* he knows a language ;o)

    --
    When the posters fear their moderators, there is tyranny; when the moderators fears the posters, there is liberty.
  3. Isn't that always a threat? by MikeRT · · Score: 4, Insightful

    Hasn't the threat of a SQL injection always been a threat, dating back to the pre-AJAX days of development? Why is this even news? Proper error handling and input checking should be enough to minimize these problems.

  4. Tinfoil Response by 0110011001110101 · · Score: 4, Funny
    You sir, are a sucker. I have found a way to beat the dreaded AJAX Google Maps insecurities. Simply put, I have a new house built every couple of years. My current house will be done in a week or so, and according to Google Maps (evil AJAX house bombing helper) my new cul-de-sac does not even exist. It's just a lot of trees... now who would bomb trees?

    Please please please, buy a new house, or next time the Google Spyplane comes to take pictures, teepee your neighborhood with Tinfoil, I'm sure your neighbors will understand once you explain it to them.

    --
    Don't anthropomorphize computers: they hate that.
  5. semantics of GET and POST by pikine · · Score: 4, Insightful

    Your remark really concludes this topic, and I think any further remarks are redundant. I just want to point out that in the HTTP specification (RFC 2616) section 13.9, it says the following about GET requests:

    Unless the origin server explicitly prohibits the caching of their responses, the application of GET and HEAD methods to any resources SHOULD NOT have side effects that would lead to erroneous behavior if these responses are taken from a cache.

    And in section 9.5, about POST requests:

    Responses to this method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields.

    Thus, the only semantic difference between GET and POST is only on side effects. There is no sense in saying one is more secure than another, or one is easier to fake than another.

    If we think of a web server as a function, GET requests means that, let y1 = f(x1) and y2 = f(x2), then x1 = x2 implies y1 = y2. POST requests means there exists y1 and y2, y1 != y2, such that y1 = f(x) and y2 = f(x) for some two applications of f with x. Here y, y1 and y2 are the "web pages" (more generally, resources), and x1, x2, x are the HTTP requests.

    Of course, for a practical, dynamic website, the functional property does not usually hold, and that's why we have "cahce control", which attempts to establish what functional property holds under certain conditions.

    --
    I once had a signature.