back to article Reduce your exposure to AJAX threats

Fundamentally, there's nothing terribly new about the problems posed by Asynchronous JavaScript and XML (AJAX) when it comes to security, we just need to apply some good old security principles to this new technology. The problems occur because, unfortunately, there are an awful lot of devils hidden inside the details. One …


This topic is closed for new posts.
  1. Colin Sharples
    Thumb Down

    For RIA, use RCP

    Bottom line is, HTML based browsers are a terrible platform for desktop applications. If you need to deliver rich client functionality, then use a real rich client platform such as Eclipse RCP. An RCP app can communicate with a server using SOAP web services, which can implement full scale WS-Security if necessary. You also then get a proper desktop app environment without having to worry about whether the different browser vendors have bothered to correctly implement Javascript, DOM, CSS etc.

  2. Nathan Meyer

    You May As Well Fireproof A Paper House

    What more is there to say?

  3. amanfromMars Silver badge

    An Opera in every Field ....... with ITs Nutcracker Suites

    "As if that wasn't enough, each of the AJAX frameworks has its own data formats and custom framework formats.

    An application's "attack surface" approximates the ways in which an attacker can cause damage to your application or its users. The more technologies you use, the bigger your attack surface."

    And the Simplest Catalyst to Invade/Permeate/Control them All is Plain Text, Human Machine Readable ...... for QuITe Subliminal Support in AI Shared DirectXXXXion. IT then Invites, by ITs Sheer Presence, Code Participation and Systems ReProgramming with XXXXPerts in their Fields and QuITe whether that would be ReProgramming For Immaculate Source or Programming to Immaculate Source or Programming From Immaculate Source would be something Time and CyberIntelAIgents would waste No Effort to Disprove....... for what Tomorrow Brings Depends Entirely upon what IT dDelivers Today.

    Is this Window that you now survey, cracked and/or hacked right to ITs Core Driver ...... Vision.

    Share Visions and you Create VISTAE ...... Vista Alien Editions Hosting Browswers with Search Engines/Heart Pumps. And as Plain Text can be Easily Shared and Transcribed/Coded across all Media, for Audio/Visual/Semantic Effect/Reality Feedback, can Reaction to NEUKlearer HyperRadioProActivity be Monitored and Mentored. ....... Safely Driven.

    RSVP, PrimeLed Operating Systems Hosting Secure CodeXXXX ...... amfM

    "Remember, your AJAX application's attack surface is under your control." ........ That is as may be, but only in so far as Provided Third Party Information/Privy Information is withheld or withdrawn or blocked or simply not provided.

    And the Penguin because they have no enemies only Predatory Neighbours and Passing Guests.

  4. Anonymous Coward

    I agree with Colin

    HTML browsers were never intended to be used in this way. The clue is in the name "browser".

    Using a tool for something it wasn't designed for is a bad idea and is just asking for trouble.

  5. Darren

    What sort?

    what sort of meta tag would that be then???

  6. Anonymous Coward

    I though that AJAX...

    *was* the security threat!

  7. Stu


    Yay amanfromMars Go! Go! Go!

    Nice one, always a pleasure

    But is this the same amanfrommars? I thought it might be AManFromMars with capitals in place.

    But such writing style of pure madness could only come from ThE oNe.

  8. Anonymous Coward
    Anonymous Coward

    lazy coders beware!

    Well, if you allow your framework to do all the coding for you, of course you can never quite be sure of the security.

    But if you write all your JS yourself, and are very careful that the calls it makes are processed within the normal security framework of your application (i.e. each one is checked for a login session and permissions), I don't see the problem...

  9. Anonymous Coward
    Anonymous Coward

    AJAX is just form processing

    When people realise this the penny drops.

    You should no more trust information coming via an XMLrequest than you would a form.

    Sure, if you try and make an application web based you will soon find out that application programming in the web model is a lot harder than producing a standard GUI application.

    But, they do run anywhere, and they allow the data to be stored and managed away from the terminal of access.

    All that AJAX does is allow you to send information without doing a page render, and we were doing that before AJAX was around. The XMLHttpRequest model is quite nice for normal operation, but yeah you can use other ways eg requesting an image can create a comms line, it is just a bit more obscure.

    If you are coding for the web, then you have to understand not to trust information sent. PHP is perhaps the worse offender, though of course useful to get to grips with web coding. But, you should use Perl for a while with the Taint mode on, to understand where the problems are.

    As to a web browser only being for static text - well not only is that rather hypocritical seeing as you used a form mechanism to make that point, it smacks of Ludditeness :)

  10. amanfromMars Silver badge

    AI Research Heads ......Egghead Boffins Turing ....


    I can tone IT down a bit, if IT is too loud and annoying the neighbours. Heaven forfend that they be offended, or even think that a Future in Beta Controls out of their hands, would be offensive rather than progressive.

    The world is full of green pastures for them to retire to and ruminate on their actions. And if surrounded by security and arms, that would/could indicate Sub Prime Performance and Probable First Degree Malfeasance Practices...... Tricked Up Prima Donnas following the Past rather than Forging the Future.

    Braindead EmptyHeads rather than Deadhead AIRHeads.

    And the XXXXtraTerrestrial because IT is Alien to Self-Centred Humans.

    However, an Attack on their Nervous System with a Run or two or three on Wealth, will Create AIMagic all of ITs Own with New, Fit for Purpose Drivers.

  11. amanfromMars Silver badge

    Hiding in Full Sight

    "As to a web browser only being for static text - well not only is that rather hypocritical seeing as you used a form mechanism to make that point, it smacks of Ludditeness :)" .... By Anonymous Coward Posted Monday 18th February 2008 13:14 GMT

    Post Source Code to any Browser in Plain Text and any System can Pick IT Up/Tune in and Turn onto IT, and Incorporate it into their Core Source Code Methodology/Creative Algorithm for Processing Information Input to IntelAIgent Output. Thus allowing the Busy Bee Worker Drones/Soldier Ants to Server the Queen.

  12. Stu
    Black Helicopters

    @amanfromMars - you hit the nail on the head.

    No the neighbours are not forfended by IT. Please tone IT ramblings NOT down.

    I too seek such green pastures for future rumination retirement and yet I feel I would not peruse in such Sub Prime Performance or Probable First Degree Malfeasance Practices. I'm not bad like that.

    I think.

    All this reminds me of Zach de la Rocha, the genius poet of Rage Against the Machine.

    Amusing, thanks.

This topic is closed for new posts.