Secure Coding mailing list archives
eWeek: AJAX Poses Security, Performance Risks
From: pmeunier at cerias.purdue.edu (Pascal Meunier)
Date: Mon, 30 Jan 2006 13:48:42 -0500
On 1/30/06 1:09 PM, "Kenneth R. van Wyk" <Ken at krvw.com> wrote:
Any AJAX experts here want to comment on the eWeek article cited below? http://www.eweek.com/article2/0,1895,1916673,00.asp It claims, among other things that, "AJAX dramatically increases the amount of XML network traffic being transmitted, exposing applications to Web services vulnerabilities". Cheers, Ken van Wyk
AJAX bothers me strongly for none of the reasons mentioned, which are "curiously" limited to the capabilities of the "solution" from the same source as the alert. AJAX: - Forces people to open their browsers to potentially malicious client-side scripts from other sites, unless users actively manage their IE zones (I've rarely found people who even know how to use them) or use something like the NoScript firefox extension (and even then it needs better SSL support as it depends and trusts DNS unless you specify the fully-qualified url). JavaScript is a notorious attack vector. I have the same issue with Windows Media Player 10 (the internet radio part requires JavaScript to work) and any site that forces visitors to use JavaScript to access content. Requiring JavaScript is unconscionable, security-wise, in my opinion. - Tempts software developers to assume that it's their code that is running on the client, and trust it with input validation, access control, and sensitive values. This is a repeated, typical mistake in client-side scripting. Why tempt people into doing stupid things? Cheers, Pascal
Current thread:
- eWeek: AJAX Poses Security, Performance Risks Kenneth R. van Wyk (Jan 30)
- eWeek: AJAX Poses Security, Performance Risks Pascal Meunier (Jan 30)
- eWeek: AJAX Poses Security, Performance Risks ljknews (Jan 30)
- eWeek: AJAX Poses Security, Performance Risks Crispin Cowan (Jan 31)
- eWeek: AJAX Poses Security, Performance Risks Gunnar Peterson (Feb 28)
- eWeek: AJAX Poses Security, Performance Risks Crispin Cowan (Jan 31)