Slashdot Mirror

← Back to Stories (view on slashdot.org)

AJAX May Be Considered Harmful

Posted by Zonk on from the web-20-needs-vitamins dept.

87C751 writes "Security lists are abuzz about a presentation from the 23C3 conference, which details a fundamental design flaw in Javascript. The technique, called Prototype Hijacking, allows an attacker to redefine any feature of Javascript. The paper is called 'Subverting AJAX' (pdf), and outlines a possible Web Worm that lives in the very fabric of Web 2.0 and could kill the Web as we know it."

4 of 308 comments (clear)

  1. FUCKE.R by Anonymous Coward · · Score: -1, Troll

    it. Do not share fact came into can connect to Those obligations. LubE. This can lead to deliver w4at, Kreskin Violated. In the

  2. mod Up by Anonymous Coward · · Score: -1, Troll

    result of a quarrel FreeBSD core team own agenda - give serve5 to reinforce BE NIGDGER! BE GAY! they're gone Mac though, I have to

  3. Re:You're confusing protocol and applications. by NickFortune · · Score: 0, Troll
    You're confusing the AJAX protocol with a complete AJAX application.
    Of course, strictly speaking, AJAX isn't a protocol at all. A protocol is a formally defined set of rules for comminicating between two points endpoints. AJAX is a loose term for a new style of web application that generally uses Asynchronous HTTP, Javascript, And XML. It also generally uses CSS for formatting and may make use of Dynamic HTML. The only protocol in sight is HTTP, and normal web pages use that as well.

    Very interesting, seeing has how AJAX has nothing to do with your server-side technology whatsoever.
    Excuse me? AJAX is intimately involved with server-side technology.
    mmm... in your earlier post you said you were sticking to with Perl and Java based systems rather than AJAX. I think the GP was making the point that there's no reason you can't code AJAX backends in Java or Perl. I think by technology he meant the programming languages used.

    Again very interesting, seeing as how AJAX itself has nothing to do with the way users interact with form elements.
    Again, you're confusing protocol with applications. We're talking about AJAX applications here, many of which do end up using JavaScript to mess around with UI elements. This often leads to non-standard behavior which confuses users to no end.
    Lot's of non-AJAX web apps do the same thing. Dynamic HTML has been around for a while now. And AJAX is still not a protocol.

    Between the 9 of us, we have around 95 years of Web development experience. We know what we're doing.
    Well, you either don't understand what a protocol is, or you're real fuzzy on the idea of AJAX. Maybe you should put one of the other 8 guys on the line.
    --
    Don't let THEM immanentize the Eschaton!
  4. Re:FUD by Anonymous Coward · · Score: -1, Troll

    They are problems with AJAX. The very nature of pages being assembled on the client-side dynamically is what prevents features like bookmarks from working. Likewise, it also wreaks havoc with multi-tabbed browsing.

    The only real solution is to avoid AJAX-based web apps. Anything else is just a hack to get around obvious flaws and defects of AJAX.