Experts Say Ajax Not Inherently Insecure

Posted by Zonk on Friday December 1, 2006 @06:23AM from the good-to-know dept.

An anonymous reader writes "Jeremiah Grossman (CTO of WhiteHat Security) has published Myth-Busting - an article dismissing the hyped-up claims that AJAX is insecure. He says: 'The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true ... Word on the cyber-street is that AJAX is the harbinger of larger attack surfaces, increased complexity, fake requests, denial of service, deadly cross-site scripting (XSS) , reliance on client-side security, and more. In reality, these issues existed well before AJAX. And, the recommended security best practices remain unchanged.'"

1 of 82 comments (clear)

Min score:

Reason:

Sort:

Re:That article was a mixed bag by PacoSuarez · 2006-12-01 07:01 · Score: 2, Informative

The XMLHttpRequest certainly does execute on the server and allows a range of parser attacks that you were less likely to get with other technologies. Which would you rather validate, a set of CGI parameters or a blob of XML? The XMLHttpRequest looks to the server just like any other HTTP request, with parameters passed the exact same way as you would pass them to a CGI program. The only side that needs to parse a bunch of XML is the client, which is not much of a security problem.