[WEB SECURITY] "AJAX breathes new life into Web apps"

Jeremiah Grossman jeremiah at whitehatsec.com
Tue May 24 21:12:54 EDT 2005


On Tuesday, May 24, 2005, at 05:55  PM, Ian Holsman wrote:

> On 5/25/05, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
>> True enough, as always the mantra remains don't trust user input.
>> However, what I was trying to describe was...
>>
>> When normal post data arrives its simple to parse, simple to sanity
>> check:
>>
>> foo=1&bar=2&text=testing
>>
>>
>> After that we're seeing XML arrive in post data. Arguably a bit more
>> complicated to parse, as well as sanity check (Likely less developers
>> are properly sanity checking XML):
>>
>> <data>
>>         <foo id="1">testing1</foo>
>>         <foo id="2">testing2</foo>
>>         <foo id="3">testin3</foo>
>> </data>
>>
> this is the same kind of thing as a SOAP/XML-RPC request IMHO..
> it really depends on what application they are using.. most would
> sanity check the XML for 'free'

What do you mean, 'free'?

> and the it wouldn't even get near the application code. it still
> leaves the problem of SQL injection and stuff like that though..

It does indeed.


>> Now some new Ajax applications are sending serialized JS objects
>> across. The exact reason I don't know (maybe it's eval'ed 
>> server-side),
>> but its much more difficult to parse and sanity check:
>
> they are probably stuck in 'everything is a java object' world.
> they would have a piece of code which would de-serialize it, but yuk..
> what a hopeless communication protocol..

I make no claim that its smart, flexible, or easy. But its there none 
the less.


> if this is going server-> client, the reason is that you can just do a
> eval( response.text );
>
> and then the stuff is dynamically run on the client side. kind of like
> self-modifying code.

Absolutely. I've seen this done here and there. Specifically in gmail 
when I first looked at it. It was the first time I saw JS array data 
passed into the client.


Jeremiah-




---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list