[WEB SECURITY] "AJAX breathes new life into Web apps"

Ian Holsman kryton at gmail.com
Tue May 24 20:23:59 EDT 2005


It's the same problem as normal POST applications... nothing's really
changed with/without ajax.

you shouldn't trust any data coming in from the client.. at the end of
the day it will be vunerable to the same kind of attacks as typical
server-side CGIs are.

hopefully people have learned a bit and coded securely, but I doubt it.


--Ian

On 5/25/05, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
> 
> On Tuesday, May 24, 2005, at 01:13  PM, Garth Somerville wrote:
> 
> > Nathan Tobik wrote:
> >
> >> I've read a bit about AJAX and it's a pretty cool technology.  What
> >> I'm
> >> wondering is what are the security implications of using this within
> >> web
> >> apps?
> >>
> > One issue could be that it may not occur to developers that
> > asynchronous requests made using xmlHttpRequest need to be validated
> > on the server.
> 
> I also expect this type of server-side-validation to become
> significantly more complex in the Ajax world. At the moment, we're used
> to dealing with the standard URL encoded query string format going back
> and forth across the wire. To some extent, XML as well.
> 
> However, after ripping apart some of the new Ajax applications, I've
> been witnessing very strange data structures being passed. For example,
> serialized DOM objects where is looks like big complicated JS array.
> Who knows how this data being handled on the server. I'm sure others
> have seen the same.
> 
> Jeremiah-
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
> 


-- 
Ian at Holsman.net -- 03-9877-0909
If everything seems under control, you're not going fast enough. -
Mario Andretti

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list