[WEB SECURITY] "AJAX breathes new life into Web apps"

Jeremiah Grossman jeremiah at whitehatsec.com
Tue May 24 20:36:28 EDT 2005

True enough, as always the mantra remains don't trust user input.  
However, what I was trying to describe was...

When normal post data arrives its simple to parse, simple to sanity 


After that we're seeing XML arrive in post data. Arguably a bit more 
complicated to parse, as well as sanity check (Likely less developers 
are properly sanity checking XML):

	<foo id="1">testing1</foo>
	<foo id="2">testing2</foo>
	<foo id="3">testin3</foo>

Now some new Ajax applications are sending serialized JS objects 
across. The exact reason I don't know (maybe it's eval'ed server-side), 
but its much more difficult to parse and sanity check:

new.obj = {
	entry: [
			id: '1',
			text: 'testing1'
			id: '2',
			text: 'testing2'
			id: '3',
			text: 'testing3'

Thats why I was saying that performing sanity checking in the Ajax 
space is likely to become increasingly complication. I'm not arguing 
that is should, only that is will.


On Tuesday, May 24, 2005, at 05:23  PM, Ian Holsman wrote:

> It's the same problem as normal POST applications... nothing's really
> changed with/without ajax.
> you shouldn't trust any data coming in from the client.. at the end of
> the day it will be vunerable to the same kind of attacks as typical
> server-side CGIs are.
> hopefully people have learned a bit and coded securely, but I doubt it.
> --Ian
> On 5/25/05, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
>> On Tuesday, May 24, 2005, at 01:13  PM, Garth Somerville wrote:
>>> Nathan Tobik wrote:
>>>> I've read a bit about AJAX and it's a pretty cool technology.  What
>>>> I'm
>>>> wondering is what are the security implications of using this within
>>>> web
>>>> apps?
>>> One issue could be that it may not occur to developers that
>>> asynchronous requests made using xmlHttpRequest need to be validated
>>> on the server.
>> I also expect this type of server-side-validation to become
>> significantly more complex in the Ajax world. At the moment, we're 
>> used
>> to dealing with the standard URL encoded query string format going 
>> back
>> and forth across the wire. To some extent, XML as well.
>> However, after ripping apart some of the new Ajax applications, I've
>> been witnessing very strange data structures being passed. For 
>> example,
>> serialized DOM objects where is looks like big complicated JS array.
>> Who knows how this data being handled on the server. I'm sure others
>> have seen the same.
>> Jeremiah-

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list