« New Opera 9.0 Technology Preview 2 for Windows | Main | JSON To Be Bundled With PHP Core »

Eric Pascarello interviewed about AJAX security vulnerabilities

Eric Pascarello, the co-author of Ajax in Action, have been interviewed by Colleen Frye at SearchWebServices.com. We have already talked about the MySpace Worm in October, and Eric have answered many question concerned this worm, the need of security for AJAX applications, the server-side validation ...

Ajax is being lauded as a technology to deliver a richer user experience. But does the use of an XMLHttpRequest open up security vulnerabilities?

Eric Pascarello: When people look at Ajax they see this XMLHttpRequest object performing magic on a Web page and they think that this can lead to major security flaws. When we do a simple view source on the page, we see the page we are calling, the parameters that are being sent. Anyone with any basic knowledge of JavaScript can easily inject scripts onto the page and change the request object to send other data. So yes, it is open to attack, but it is not anything to be afraid of.

Eric also gives some rules for Ajax Security:

1. If you use user authentication, make sure you check for it on the request page!
2. Check for SQL injections.
3. Check for JavaScript injections.
4. Keep the business logic on the server!
5. Don't assume every request is real!
6. Check the data with validation!
7. Look at the request's header information and make sure it is correct.

Read the Eric Pascarello's interview

Posted by Hatem on February 7, 2006 7:54 PM to AJAX Experience | AJAX Security |

Bookmark this article at these sites
Comments
1

I think we'll start finding alot of security holes as untrained developers will still be in the habit of trusting input from their ajax apps. If you're receiving POST data or GET data for that matter, always think that the data could be coming from ANYWHERE, not just your webpage. Someone could be writing a socket script against it, posting data over and over again until they find that flaw. NEVER trust user input whether it be from a regular form page or an AJAX request. That being said since xmlhttprequest lives in the same security sandbox as javascript, it can only be used to call back to the orginating server.

However with Firefox extensions xmlhttprequest can call ANY page ANYWHERE, so I see some potential for misuse there if people install shady extensions.

Posted by Jim Plush | February 10, 2006 6:50 PM | Reply

Post a comment





(Email will remain hidden)





Please enter the security code you see here




Related entries
Email to a friend
Email this article to:


Your email address:


Message (optional):