• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Junilu Lacar
  • Liutauras Vilda
Sheriffs:
  • Paul Clapham
  • Jeanne Boyarsky
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Piet Souris
  • Carey Brown
Bartenders:
  • Jesse Duncan
  • Frits Walraven
  • Mikalai Zaikin

AJAX and security

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you aware of any security vulnerabilities with using AJAX ? I know of one instance where a non-malicious user created a worm to expand his buddy list by manipulating the XMLHTTPRequest object using AJAX in an online community.
 
Author
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, but the vulnerability that was exploited was not *because* of Ajax! Honestly, Ajax doesn't introduce any new security issues - anything that a malicious user can do with a normal web app can be done with Ajax. The one thing I'll caution though - Ajax is more "hackable" so think twice before you expose your datastore or business logic in JavaScript. Essentially you just need to practice safe web apps and you'll be fine.
 
author
Posts: 15385
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I wrote an article on it yesterday: http://radio.javaranch.com/pascarello/2005/11/16/1132198968655.html

Eric
 
Nate Schutta
Author
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Nice piece Eric - well stated. To me, security is a bit of a red herring when it comes to Ajax...much like the "it's only for rocket scientists" claim.
reply
    Bookmark Topic Watch Topic
  • New Topic