How to Make Ajax Secure
Filed in archive AJAX on September 18, 2006
We all know how popular Ajax is getting and with its increasing popularity it will certainly attract undue attention. Security issues would crop up as hackers might try to exploit it. The applications of Ajax are executed on a user's machine and a small amount of data is exchanged with the server and hence you are not required to ReLoad the entire webpage. This makes your page more responsive. It makes use of Java Script's XMLHttpRequest object which could be set to operate behind the scenes asynchronously and triggered by a timer or user keystrokes. This implies that JavaScript code on a web page could connect to web servers independently of the user and pull in cross domain content.
There are chances that Ajax could be exploited as most of the web applications comply with a similar origin policy which compels them to connect to the server which delivered the base page but this is not applicable to Ajax scripts. There is always a fear of malicious scripts stealing data stored in cookies or directly accessing the originating server. For e.g. cross site scripting vulnerabilities could be easily exploited.
Michael Cobb has stated five steps as to how you could thwart these threats:
1. The key coding discipline of never trusting the client still applies, so any security controls should be implemented on the server and never controlled by the user.
2. Initially, keep the application straightforward. Reducing and simplifying any Ajax calls makes it easier to evaluate all possible types of requests that can be generated by a page or application during security testing.
3. Document and explain how the application communicates with the server and handles the responses it receives. Cover such issues as SSL connections for sensitive information.
4. Complete security testing prior to moving the application online, with special emphasis placed on checking for access control and input validation flaws.
5. Visit the Web Application Security Project for help with developing secure Ajax applications.
2. Initially, keep the application straightforward. Reducing and simplifying any Ajax calls makes it easier to evaluate all possible types of requests that can be generated by a page or application during security testing.
3. Document and explain how the application communicates with the server and handles the responses it receives. Cover such issues as SSL connections for sensitive information.
4. Complete security testing prior to moving the application online, with special emphasis placed on checking for access control and input validation flaws.
5. Visit the Web Application Security Project for help with developing secure Ajax applications.
Permalink: How to Make Ajax Secure
Tags: ajax security java script secure ajax+secure make+ajax java+entrepreneur
Vote for How to Make Ajax Secure:
|
Rating: 5.70 out of 10 vote(s) cast.
|
| RSS |  |
 | |
| Yahoo! |
|
| Addthis |
|
| Bloglines |
|
| Follow us on Twitter! |
Most Popular
AJAX
Application Development
Awards
Basics
Best of
Business
conference
Did you know
E-Commerce
Information About
Management
Misc
Mobile Devices
mobile phones
Monthly Contest
Personal
Programming
Quick introduction
Security
Service Oriented Architectures