Today | RSS | RDF | Atom | Other
 
Advanced Search
Eric's weblog
Weird Thoughts From Eric's Head

Tags - Categories : All | AJAX | BUSINESS | PERSONAL | PROGRAMMING | BOOK REVIEW
November 2005
SunMonTueWedThuFriSat
   1  2  3  4  5 
 6  7  8  9  10  11  12 
 13  14  15  16  17  18  19 
 20  21  22  23  24  25  26 
 27  28  29  30    
Oct  |  Today  |  Dec

Recent Blog Entries
Google Chrome Debugger
Looking for new book/blog ideas
Follow Me on Twitter

Co-Author of Ajax In Action Ajax In Action

Recent Responses
Re: Disable All Links with JavaScript
Hi Eric, Your approach work fine and It disables hyperlinks however the links on my 'printer friendly page' come up with 'hand' symbol while hvering over links. This is because the link is inside an anchor tag. Is there any way to remove anchor tags of...

Re: Disable All Links with JavaScript
Really i have to thank you.....you have saved me from 1 week work to 1 hour work

Other Blogs
Dave Crane
Val's Blog
Dirk's Blog
Nate's weblog
Ajith Kallambella
Lasse's weblog
Gregg's Weblog
Hershey's Blog
My Cave Online
Bounces amongst neurons
Six Sides To A Box
Jia Yo!
Moose in Headlights
Unresolved References
This That and The Other...
Just My Thoughts
Balaji's blog
Java Ranch Book Reviews
Corey's SCJP Tipline, etc.
JavaRanch News
Eric's weblog
Barry's weblog
Mike Curwen's Blog
David's blog
In through the out door
Frank Carver's weblog
Peabody's
Uncontrolled Vocabularies
The Bear Den
I've Been Wondering...
Simon Brown
<< Another Contest to win a copy of Ajax In Action | Home | Ajax: Is talking to outside domains safe? >>
Permalink
[AJAX] [PROGRAMMING] Ajax: Is Ajax unsecure?

Is Ajax unsecure?

Well with the book promotion of Ajax In Action at JavaRanch, the question that kept popping up was: "What about security?" Well the truth is yes some Ajax applications are very open to attack. The reason: Way too much business logic on the server and poorly implemented design on the server.

When we are looking at any web application we do a few things. We test for where the data is coming from. We look for SQL Injections. We look for JavaScript Injections if we are reposting this data.

Now we need to follow these same tests with Ajax. We are still dealing with posting data to the server, which the server business logic handles. We should ALWAYS handle the business logic ON THE SERVER. I need to stress this since this is the only way you can secure your application. Let the server handle building the queries or determining the stored procedures. Some applications out there open this up on the client and you are looking for trouble. Give the hacker your column names and table names. Not a good thing!

An article that people may like is on MSDN: http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx?side=true#a. It gives a quick overview on how a person can go about SQL Injection. With JavaScript injection you need to look at all of the event handlers, JavaScript keyword, script tag, and so on. If you are allowing public comments or such, this can cause some trouble. Read the story about Sammy on myspace here: http://www.ajaxian.com/archives/2005/10/sammy_uses_ajax.html. With a little JavaScript, it caused a big problem for myspace.

If you think that Ajax is unsecure and your classic post back forms are, think again. Anyone can easily change a form submission on a normal framework and cause havoc. I have written about it in the past on my blog: http://radio.javaranch.com/pascarello/2004/04/28/1083160143000.html. After looking at those links on the post, you can see that any application is vulnerable to attack.

Eric's Rules of Thumb for Ajax Security:

  1. If you use user authentication, make sure you check for it on the request page!
  2. Check for SQL Injections
  3. Check for JavaScript Injections
  4. Keep the Business Logic on the server!
  5. Don't assume every request is real!
  6. Check the data with validation!
  7. Look at the request’s header information and make sure it is correct

Having common sense when programming an Ajax application will keep you and your data safe.

Eric Pascarello
Coauthor of Ajax In Action
Author of: JavaScript: Your Visual Blueprint for Dynamic Web Pages
Moderator of HTML/JavaScript at www.JavaRanch.com

TrackBacks[0] Comments[3] Posted by pascarello on November 16, 2005 10:42:48 PM EST

Reply | Permalink Re: Ajax: Is Ajax unsecure?
I agree with everything you say but I don't see why you specificly call this Ajax security. This is basic security issues relating to any web application. Whether the HTTPRequest is from Ajax, a "normal" web page or generated by an attacker is irrelevant - security precautions and business logic must still be implemented on the server. Cheers, Espen http://sleepyhead81.blogspot.com
Comment from Anonymous on November 18, 2005 3:15:54 AM EST
Reply | Permalink Re: Ajax: Is Ajax unsecure?
I call it Ajax security since I want to get people's attention that think Ajax is unsecure. Yes this can apply to any application framework out there.
Comment from Eric Pascarello on November 18, 2005 10:10:35 AM EST
Reply | Permalink Re: Ajax: Is Ajax unsecure?
This article is indexed on Google, so this is worth correcting: "The reason: Way too much business logic on the server and poorly implemented design on the server."
Comment from Anonymous on December 18, 2006 9:18:06 AM EST


Add a comment

Title
Body
HTML : b, i, blockquote, br, p, pre, a href="", ul, ol, li
Math Quiz 5 + 6 = (Helps stop blog spam)
Name
E-mail address
Website
Remember me Yes  No 

E-mail addresses are not publicly displayed, so please only leave your e-mail address if you would like to be notified when new comments are added to this blog entry (you can opt-out later).

TrackBack to http://radio.javaranch.com/pascarello/addTrackBack.action?entry=1132198968655

Powered by Pebble 1.9.1 [ Login ] Content © Eric Pascarello