Wednesday, January 10, 2007

AJAX Security Concerns

Recently, I read a well done article about security concerns, and recommendations for securing Web application development, especially AJAX applications.

Since Ajax Web applications exist on both the client and the server, they include the following security issues:
  • Create a larger attack surface with many more inputs to secure
  • Expose internal functions of the Web application server
  • Allow a client-side script to access third-party resources with no builtin security mechanisms

AJAX implementations require a trust relationship between the client and server — a relationship that can be exploited by an attacker...

The JavaScript in the Ajax engine traps the user commands and makes function calls in clear text to the server. Browser requests and Ajax engine requests look identical. The server is incapable of discerning a request made by JavaScript and a request made in response to a user action. This fact means it is very difficult for an individual to prove that they did not do a certain action.

It also means that JavaScript can make a request for a resource using Ajax that occurs in the background without the user’s knowledge. The browser will automatically add the necessary authentication or state-keeping information such as cookies to the request. JavaScript code can then access the response to this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site Scripting (XSS) attack.

Read the whole, excellent Article "AJAX Security Dangers" by Bill Hoffmann.

Posted by at
Labels: , ,

2 comments:

Anonymous said...

You know ,I have some maple mesos,and my friend also has some mesos,do you kouw they have the same meaning,Both of them can be called maplestory mesos,I just want to
buy flyff penya ,because there are many
cheap mesos

6:15 AM
istanbul said...

TTG Travel Agency is a leading travel agency and tour operator in istanbul Turkey with more than seven years of professional travel service. Because of our dedication and commitment to your needs istanbul travel we are able to offer you better quality of service at lower prices than other operators. http://www.istanbulhotels.com We provide hundreds of elaborately pre-designed Turkey tour packages, Turkey tours discounted, Guided turkey hotels and Turkey Tours, and we also provide customized travel service that is organized according to your specific needs and requirements http://www.istanbulhotels.com Our tours are professionally guided, intimate, and safe.

11:29 AM

Post a Comment

Subscribe to: Post Comments (Atom)