Scratch Free! Easy Rinse Formula!

No, not that Ajax®. You know, “AJAX” Asynchronous Javascript And Xml

Is it really as scratch free as they claim?

Its a hot topic – security and how it relates to AJAX. Should we be worried? I mean, its a relative young technology – and most young technologies have security problems. Is it disconcerting that Microsoft is using it all over their new apps/os’s? Should we fret because Google uses it across their website? We’ve never had a problem with Microsoft and security before, right? *sarcasm* Lets break it down.

Historically, when you loaded a webpage, you had one connection and only had to worry about validating server side input once. Now, when you load a page in the browser, you need to validate input, and then anytime AJAX connects to your server, you need to revalidate that input and then handle the results correctly. You have now multiplied the potential leaks, by 2. Now, what if the response you are returning is Javascript code (I return XML most of the time, but its possible to return JS), now are you going to blindly run the JS you returned? Why wouldn’t you, I mean it came from your script. But if someone found a leak to get garbage into your AJAX, how do you know what is returned is not garbage? So now we have opened up potential security leaks by an order of 3.

Have you seen those new Mac commercials? I own a few Macs, and love ’em. But c’mon guys – you are challenging the community to find flaws and hacks with the Mac OS. Why do this? They are not invincible. And with AJAX running on every platform that has a JS enabled Browser, what are we in for? Remember Robert Morris – 1988?

Sources:
http://www.it-observer.com/articles/1062/ajax_security/
http://en.wikipedia.org/wiki/Morris_Worm
http://www.securityfocus.com/infocus/1868
http://www.usatoday.com/money/industries/technology/2006-08-04-ajax-attack-usat_x.htm

Published by

Leroy Leese

Leroy is a Zend PHP Certified Engineer from Knoxville TN. He has been computing for over two decades, drag-racing for 16 years and spent a year with a band as a guitarist.