[WEB SECURITY] "AJAX breathes new life into Web apps"

Jeremiah Grossman jeremiah at whitehatsec.com
Tue May 24 16:49:43 EDT 2005


On Tuesday, May 24, 2005, at 01:13  PM, Garth Somerville wrote:

> Nathan Tobik wrote:
>
>> I've read a bit about AJAX and it's a pretty cool technology.  What 
>> I'm
>> wondering is what are the security implications of using this within 
>> web
>> apps?
>>
> One issue could be that it may not occur to developers that 
> asynchronous requests made using xmlHttpRequest need to be validated 
> on the server.

I also expect this type of server-side-validation to become 
significantly more complex in the Ajax world. At the moment, we're used 
to dealing with the standard URL encoded query string format going back 
and forth across the wire. To some extent, XML as well.

However, after ripping apart some of the new Ajax applications, I've 
been witnessing very strange data structures being passed. For example, 
serialized DOM objects where is looks like big complicated JS array. 
Who knows how this data being handled on the server. I'm sure others 
have seen the same.

Jeremiah-




---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list