Today | RSS | RDF | Atom | Other
 
Advanced Search
Eric's weblog
Weird Thoughts From Eric's Head

Categories : All | AJAX | BUSINESS | PERSONAL | PROGRAMMING | BOOK REVIEW
June 2005
SunMonTueWedThuFriSat
    1  2  3  4 
 5  6  7  8  9  10  11 
 12  13  14  15  16  17  18 
 19  20  21  22  23  24  25 
 26  27  28  29  30   
May  |  Today  |  Jul

Recent Blog Entries
Looking for new book/blog ideas
Follow Me on Twitter

Co-Author of Ajax In Action Ajax In Action

Recent Responses
Re: The XMLHttpRequest Reuse Dilemma
cuchandoo, when you do not include (), you are assigning a reference to a function. If we would include (), the code inside that function would execute right than and there. We do not want that to happen. We want the code to execute when the XMLHttpR...

Re: The XMLHttpRequest Reuse Dilemma
req_fail_IE.onreadys...

Other Blogs
Dave Crane
Val's Blog
Dirk's Blog
Nate's weblog
Ajith Kallambella
Lasse's weblog
Gregg's Weblog
Hershey's Blog
My Cave Online
Bounces amongst neurons
Six Sides To A Box
Jia Yo!
Moose in Headlights
Unresolved References
This That and The Other...
Just My Thoughts
Balaji's blog
Java Ranch Book Reviews
Corey's SCJP Tipline, etc.
JavaRanch News
Eric's weblog
Barry's weblog
Mike Curwen's Blog
David's blog
In through the out door
Frank Carver's weblog
Peabody's
Uncontrolled Vocabularies
The Bear Den
I've Been Wondering...
Simon Brown
<< Should you use AJAX? | Home | More information on "Ajax In Action" >>
Permalink
[PROGRAMMING] AJAX Securtity and Mistakes I Have Seen

AJAX Securtity and Mistakes I Have Seen
Well two items I have on mind for today with AJAX is security concerns and problems I see with some current implementations of AJAX. Since we are using JavaScript, we are opening one door to people, but it is not much different than a normal form. The problems that I see are just things that I have observed. Might be a little repeat of yesterday, but I think you can handle it.

Security
AJAX is allowing us to develop rich user interfaces but are we causing more security concerns? I have not seen anyone really discuss this topic in detail but AJAX is vulnerable just like any other form submission out there!

Just like everyone in the world should know JavaScript is open source. You can see the code by just doing the views source command. I have seen great tricks to hide the code, but you can always get to it without much problem. The best thing I ever saw to hide their code was 10,000 returns! (Hope you realize I am joking about the best!) People actually fell for this and asked up how they were hiding their source code. My answer: Hit Ctrl F4 as multiple times as fast as you can and then go back to the page and use the down arrow key. It will trick the computer into showing the code! (The person said it worked…Wish I would have saved that email and printed it on the wall!)

Since people can see your client side code, they are half way to understanding your logic. But wait! That is no different than a person looking at the names of your form fields and sending a request. With AJAX you should not be sending back SQL queries to the server, you should be sending back form values, strings, numbers, and what ever else you seem to have the need to send back.

I have seen people use JavaScript to hack all of the hidden fields on a form! I think I talked about that HERE! Yes people get slammed with that stupid mistake! A person went in changed the hidden fields and started to delete every single record from a database. Since the logic used did not do any real checks other than that value in the hidden field. (Okay that person was I and I made sure I made a back up to prove a point to a person so I can say “And you complain about my coding” ~ Sorry getting side tracked!)

So what am I saying here? You need to build the security on the server side. You need to check to see the values being passed. Make sure there are no wonderful SQL injections. What ever you do to verify that it is valid for form submissions you need to do it here. Track sessions, limit requests, verify data, check referrers, and so on! You should be applying the same logic you would for normal form submissions! (You are doing this on your own system with form submissions right now; right?!)

Problems, Issues, Peeves, etc!
People that start to use AJAX are jumping into it without thinking what the consequences of it are. We are taking on a new technology that is only supported by a limited number of browsers: IE 5.0, 5.5, 6.0, Netscape 6.x, 7.x, Mozilla 1.x, FireFox 1.x, Safari 1.x., & Opera 8.01 Are you concerned with that? Personally I am not concerned with that since I am working on the premise that only current technology should be supported. What are you going to do for these browsers that do not support AJAX? Yes we can detect if they do not support it (I will talk about that tomorrow.) Are you going to loose that audience or are you lucky like me and work with only one browser on an intranet? Do you still support Netscape 4.X? Or do you develop two pages or double the amount of code on one page? Up to you to choose!

Now lets talk about the problems I have seen on applications. Now I am not going to point out applications, tool kits, or frameworks since that is not nice. Yesterday I talked about searches and how they are not bookmarkable. Simple fix was to add a link that could give you the option to save the results. Enough on that subject, if you want more information look at yesterday’s blog!

One thing that is nice is that AJAX runs “secretly” in the background meaning you really do not know what is happening. This stealth mode with AJAX is great but some applications are performing their actions and you have no clue that it is doing anything!

You click a button and nothing happens, no message or animation is displayed. How am I supposed to know if I did not click the button hard enough? A normal form submission shows the progress bar in the page. AJAX does not show this. Lets do another analogy since people like analogies! It is like going to your friend’s house and you ring the doorbell. You sit there waiting, your friend said they would be home, and you are standing there twiddling your thumbs. You then think to yourself, did it ring, I did not hear it or did I hear it and just not realize it? You press it again and you do not hear it so you keep hitting it thinking it will work eventually. Your friend finally gets to the door and says, “STOP IT! I have ears you know I was on the toilet!!”

So you need to give the user some reference an action has been taken! That is the short answer to that issue I see. Use a layer and pop it up with the words processing. You an animated gif, go back 7 years ago and get those groovy status bar and title bar scrollers. (Come one you people, you know your first site had them along with your clocks, mouse followers, flying text, shaking browsers, etc ~ SLAP ~ off the path again!)

Another thing that irks me is trying to use AJAX too much. Yes you should use AJAX, but there is a limit. Just because you can use it does not mean it has to be done that way. For example a .NET site used AJAX to fill in dropdown fields with AJAX after the page loads, for a double combo yes do it, but not for a single dropdown. Now we do the entire rendering on the page than the page loads. We send back another request to get the dropdown values and pull them in again. It is a waste of time. It should be done on the server unless we are talking about the fields being related to other items on the page!

All I can say is use AJAX wisely. And tomorrow we will get to do the HELLO WORLD Example! I know you are excited to do it!



Eric Pascarello
Moderator of HTML/JavaScript at www.JavaRanch.com
Author of: JavaScript: Your Visual Blueprint for Dynamic Web Pages

TrackBacks[0] Comments[3] Posted by pascarello on June 23, 2005 2:19:52 PM EST

Reply | Permalink Re: AJAX Securtity and Mistakes I Have Seen
Somehow I think tomorrow's HELLO WORLD example should be done on the server unless we are talking about the WORLD being related to other items on the page! like HELLO. :) Great article again.
Comment from Mark Spritzler on June 23, 2005 3:16:52 PM EST
Reply | Permalink Re: AJAX Securtity and Mistakes I Have Seen
Actually the Hello World example is not going to be a Hell World example since I hate them since the first time I compile a C program and it would not run to save my life! We are going to determine if a file exsits from a plain old HTML file! Whoopie!

Eric
Comment from Eric Pascarello on June 23, 2005 3:31:59 PM EST
Reply | Permalink Re: AJAX Securtity and Mistakes I Have Seen
You said"You press it again and you do not hear it so you keep hitting it thinking it will work eventually. Your friend finally gets to the door and says, “STOP IT! I have ears you know I was on the toilet!!”". but what happens if he dies before he opens the door but after shouting? The doors still closed. My point is what happens in IE if the server crashes/hangs after accepting the request? does it timeout? does it hang? or does it allow us to do other things? I hope you got my question.
Comment from Niki Nono on June 27, 2005 11:42:27 PM EST


Add a comment

Title
Body
HTML : b, i, blockquote, br, p, pre, a href="", ul, ol, li
Math Quiz 4 + 8 = (Helps stop blog spam)
Name
E-mail address
Website
Remember me Yes  No 

E-mail addresses are not publicly displayed, so please only leave your e-mail address if you would like to be notified when new comments are added to this blog entry (you can opt-out later).

TrackBack to http://radio.javaranch.com/pascarello/addTrackBack.action?entry=1119554392570

Powered by Pebble 1.9.1 [ Login ] Content © Eric Pascarello