Microsoft readies Atlas AJAX tooling

TalkBack 17 of 22:

Next »

« Previous

• Thread View
• Flat View

It depends...

Ajax is not a technology, it is a mix of technlogies and hence it is better thought of as a "methodology", a way of developing rich gui web applications. It really depends on how you implement the client - server communcations handling and especially the server handling of "Ajax" messages whether an Ajax application is secure or insecure. I have written a white paper about this. The onus is on the programmer to make sure their Ajax implementation is secure. A lack of understanding or knowledge of the technologies involved can lead to insecure Ajax applications so it is an inherent risk without MS's involvement or fault.

Examples of possible security breaches include:
? Script injection to corrupt or destroy data stores via the XMLHttpRequest object
? Script injection to capture personal details such as contact or credit card details via the XMLHttpRequest object
? GUI elements hidden by Ajax can easily be accessed by expert JavaScript users
? Injection of malformed data, via the XMLHttpRequest object, which can lead to denial of service.

Some simple rules that Ajax developers and QA personnal need to keep in mind in order to reduce the risk of security breaches and performance degradation are:
? If you use user authentication, make sure you check for it on the request page
? Check for SQL injections
? Check for JavaScript injections
? Keep the business logic on the server
? Don't assume every request is real
? Check the data with validation and XML content filtering
? Inspect the request's header information and make sure it is correct
? Consider how to deal with the asynchronous nature of Ajax responses
? Implement encryption of all communications between the client and server
? Establish and implement a protocol of trust between the client and server to make sure that no other outside entity can masquerade as either
? Implement caching and control of requests to make sure only ?valid? requests are processed and acted upon by the server
? Implement XML acceleration capabilities and techniques for transmitting (for e.g XML compression), parsing and validating XML messages
? Use a security testing suite which can check for Ajax vulnerabilities in the application; the benefits far outweigh the costs

Keep in mind that Ajax as a mainstream way of developing rich gui web based applications is still quite new and when every Tom, Dick and Harry web developer decides to implement Ajax because it's "cool" we do have potential problems on our hands, as has been pointed out by many experts. There already have been a number of documented security breaches because of websites with unsecure Ajax implementations.

Posted by: the_seb   Posted on: 09/12/06 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now
• Reducing Server Total Cost of Ownership with VMware Virtualization Software VMware VMware virtualization enables customers to reduce their server TCO and ... Download Now
• Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now