AJAX May Be Considered Harmful

87C751 writes "Security lists are abuzz about a presentation from the 23C3 conference, which details a fundamental design flaw in Javascript. The technique, called Prototype Hijacking, allows an attacker to redefine any feature of Javascript. The paper is called 'Subverting AJAX' (pdf), and outlines a possible Web Worm that lives in the very fabric of Web 2.0 and could kill the Web as we know it."

Re:You're confusing protocol and applications.

[NickFortune]

You're confusing the AJAX protocol with a complete AJAX application.

Of course, strictly speaking, AJAX isn't a protocol at all. A protocol is a formally defined set of rules for comminicating between two points endpoints. AJAX is a loose term for a new style of web application that generally uses Asynchronous HTTP, Javascript, And XML. It also generally uses CSS for formatting and may make use of Dynamic HTML. The only protocol in sight is HTTP, and normal web pages use that as well.

Very interesting, seeing has how AJAX has nothing to do with your server-side technology whatsoever.

Excuse me? AJAX is intimately involved with server-side technology.

mmm... in your earlier post you said you were sticking to with Perl and Java based systems rather than AJAX. I think the GP was making the point that there's no reason you can't code AJAX backends in Java or Perl. I think by technology he meant the programming languages used.

Again very interesting, seeing as how AJAX itself has nothing to do with the way users interact with form elements.

Again, you're confusing protocol with applications. We're talking about AJAX applications here, many of which do end up using JavaScript to mess around with UI elements. This often leads to non-standard behavior which confuses users to no end.

Lot's of non-AJAX web apps do the same thing. Dynamic HTML has been around for a while now. And AJAX is still not a protocol.

Between the 9 of us, we have around 95 years of Web development experience. We know what we're doing.

Well, you either don't understand what a protocol is, or you're real fuzzy on the idea of AJAX. Maybe you should put one of the other 8 guys on the line.