[WEB SECURITY] "AJAX breathes new life into Web apps"
jeremiah at whitehatsec.com
Tue May 24 21:12:54 EDT 2005
On Tuesday, May 24, 2005, at 05:55 PM, Ian Holsman wrote:
> On 5/25/05, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
>> True enough, as always the mantra remains don't trust user input.
>> However, what I was trying to describe was...
>> When normal post data arrives its simple to parse, simple to sanity
>> After that we're seeing XML arrive in post data. Arguably a bit more
>> complicated to parse, as well as sanity check (Likely less developers
>> are properly sanity checking XML):
>> <foo id="1">testing1</foo>
>> <foo id="2">testing2</foo>
>> <foo id="3">testin3</foo>
> this is the same kind of thing as a SOAP/XML-RPC request IMHO..
> it really depends on what application they are using.. most would
> sanity check the XML for 'free'
What do you mean, 'free'?
> and the it wouldn't even get near the application code. it still
> leaves the problem of SQL injection and stuff like that though..
It does indeed.
>> Now some new Ajax applications are sending serialized JS objects
>> across. The exact reason I don't know (maybe it's eval'ed
>> but its much more difficult to parse and sanity check:
> they are probably stuck in 'everything is a java object' world.
> they would have a piece of code which would de-serialize it, but yuk..
> what a hopeless communication protocol..
I make no claim that its smart, flexible, or easy. But its there none
> if this is going server-> client, the reason is that you can just do a
> eval( response.text );
> and then the stuff is dynamically run on the client side. kind of like
> self-modifying code.
Absolutely. I've seen this done here and there. Specifically in gmail
when I first looked at it. It was the first time I saw JS array data
passed into the client.
The Web Security Mailing List
The Web Security Mailing List Archives
More information about the websecurity