This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes HTML, CSS and JavaScript and the fly likes Security: Cross-Site Scripting Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "Security: Cross-Site Scripting" Watch "Security: Cross-Site Scripting" New topic
Author

Security: Cross-Site Scripting

David Attard
Greenhorn

Joined: May 13, 2003
Posts: 26
Guys,

Ajax is obviously changing the face of Web Applications, and I (don't we all?) love it. However, there are security implications with JS and Cross Site Scripting. I know there are other security implications with normal web applications, however what would your recommendations be about developing and testing secure Ajax enabled web-applications?


There's no place like 127.0.0.1
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60785
    
  65

From the point of view of the server, an Ajax request is just like any other. So all the security techniques and patterns that apply to requests in "normal" web applciations still apply. The primary rule being, of course, never trust data from the client. Always validate your data and check credentials regardless of whether a request was generated via a link, a form post, Ajax, or anything else.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Axl Weslowski
Greenhorn

Joined: Jan 23, 2006
Posts: 2
Originally posted by David Attard:
Guys,

Ajax is obviously changing the face of Web Applications, and I (don't we all?) love it. However, there are security implications with JS and Cross Site Scripting. I know there are other security implications with normal web applications, however what would your recommendations be about developing and testing secure Ajax enabled web-applications?


I too am curious what people are using for security testing. Just test drove Selenium IDE and TestGen4Web and Sahi and FireWatir this week. TestGen4Web meets my personal requirements fine, for QA testing with Firefox, but I wonder what tools people are using to automate security testing, of AJAX and other JavaScript.
 
wood burning stoves
 
subject: Security: Cross-Site Scripting
 
Similar Threads
not able to get values into database
Info on Servlet Filters
Cross Code Scripting
where to implement cross site scripting and how ?
XSS attack - prevention - AJAX ?