Slashdot Mirror

← Back to Stories (view on slashdot.org)

AJAX May Be Considered Harmful

Posted by Zonk on from the web-20-needs-vitamins dept.

87C751 writes "Security lists are abuzz about a presentation from the 23C3 conference, which details a fundamental design flaw in Javascript. The technique, called Prototype Hijacking, allows an attacker to redefine any feature of Javascript. The paper is called 'Subverting AJAX' (pdf), and outlines a possible Web Worm that lives in the very fabric of Web 2.0 and could kill the Web as we know it."

2 of 308 comments (clear)

  1. Re:FUD by bunions · · Score: 4, Interesting

    those 'gigantic problems' aren't problems with Ajax. There exist good solutions for both. The solutions, however, are nontrivial and are typically ignored by developers for whatever reasons.

    --
    there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
  2. re: first post by jimbojw · · Score: 4, Interesting
    You might - if you can find an available XSS vulnerability to use as a vector. TFA assumes this blithely for the sake of demonstration, but it's a big assumption.

    Further, the slashdot summary suggests that Prototyping is a design flaw in JavaScript/ECMAScript. This wrong for two reasons:
    1. The article doesn't mention this.
    2. Prototyping is not a design flaw.
    Prototyping is a very useful language feature that can be used to do all sorts of things that would otherwise be cumbersome or impossible. Ruby is a prototyped language - a feature which is responsible for much of the 'magic' of Rails.

    The article does outline a number of Ajax related vulnerabilities, but like most vulnerabilities, they can be mitigated or avoided entirely if paid attention to - much like the SQL injections of old.

    Arguing that Prototyping or Ajax makes JavaScript unsafe is fud. These are powerful language features that (like any powerful feature) can be used for evil if an injection mechanism is available.