Closed Thread
Results 1 to 2 of 2

Thread: Myth-Busting AJAX (In)security

  1. 12-01-2006, 06:04 PM #1
    Jordan Guest

    Myth-Busting AJAX (In)security

    Myth-Busting AJAX (In)security
    Thursday - November 11, 2006 | WhiteHat Security publication
    The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true. Even the most experienced Web application developers and security experts have a difficult time cutting through the buzzword banter to find the facts. And, the fact is most websites are insecure, but AJAX is not the culprit. Although AJAX does not make websites any less secure, it’s important to understand what does.

    AJAX (Asynchronous JavaScript + XML) is a combination of web browser technologies that allows web page content to be updated “on-the-fly” without the user moving from page to page. In the background of an AJAX-enabled web page, data (typically formatted in XML, but also HTML, JavaScript, etc.) is transferred to and from the web server. In the case of Gmail, new email messages are displayed as they arrive automatically. In Google Maps, a user may mouse-drag through street maps without visiting additional pages. The mechanism for performing asynchronous data transfers is a software library embedded in all modern web browsers called XMLHTTPRequest (XHR) . XHR is the key to a website earning the “AJAX” moniker. Otherwise, it’s just fancy JavaScript.

    If you’re thinking that none of this sounds security related, you’re right. AJAX technology makes website interactivity smoother and more responsive. That’s it. Nothing changes on the web server, where security is supposed to reside. If that’s the case, then what is everyone talking about? Word on the cyber-street is that AJAX is the harbinger of larger attack surfaces, increased complexity, fake requests, denial of service, deadly cross-site scripting (XSS) , reliance on client-side security, and more. In reality, these issues existed well before AJAX. And, the recommended security best practices remain unchanged. If you’re like me, you want to know what’s really important, so let’s take a closer look.



    Does AJAX cause a larger “Attack Surface”? No.

    Full Story
  2. CODECALL Circuit advertisement

     
  3. 12-03-2006, 11:21 AM #2
    dirkfirst
    dirkfirst is offline Programming Expert
    Join Date
    May 2006
    Posts
    354
    Rep Power
    23
    lol, I didn't even know AJAX was insecure.
    DirkFirst Tutorials | Linux Forum
Closed Thread
AJAX - Escaping ( »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Myth or Fact - Steven Jobs, sick?
    By Turk4n in forum The Lounge
    Replies: 10
    Last Post: 01-17-2009, 09:39 AM
  2. Myth-Busting AJAX (In)security
    By Jordan in forum JavaScript and CSS
    Replies: 1
    Last Post: 12-03-2006, 11:21 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules