RE: AJAX Concept Question

["Jason Karlin" <jasonkarlin () hotmail com>]

Because XML will save the world!!

Seriously, I think XML is a suggested message format, but I've only used it
a few times.  A typical scenerio for me is I have a section of the page I
want to update defined by a DIV. On a button click, or whatever event, the
ajax call will hit the servlet and redirect to a JSP (using J2EE here
obviously). The HTML content rendered by the JSP is returned to my original
page and the ajax method updates the DIV.innerHtml with that content.

This is similar to what you said below except not appending to the end of
the page, but overwriting a section.

If it matters, the prototype library is great for this type of call. It has
a helper Ajax.Updater which takes the id of the div, the URL, and params and
handles it all for you.  This is how I handle 90% of my ajax calls. No AJAX,
no messign with XMLHttpRequest!!  http://www.prototypejs.org/

In terms of benefits, this solution works great if you know how the content
should be rendered in HTML. In my case, I do so it saves me having to parse
some XML format and write a bunch of javascript to handle things.  However,
if the same info would be presented in a number of ways, it might be better
to return the data in some XML structure to be parsed by  each page
(creating more of an API call).

In terms of security, I can't think of anything inherent in either solution
that would make one better. Obviously if the data you're returning (whether
already rendered or in XML) is confidential, you would need to take
precautions like calling the server over HTTPS and verifing that the calling
app is trusted.

Hope this helps.
Jason

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Mat
Sent: Thursday, February 21, 2008 8:16 PM
To: webappsec () securityfocus com
Subject: AJAX Concept Question

I really have no formal experience with AJAX - just what I have learned from
google.

Why is XML used as a transport agent/layer?  

> From what I understand, AJAX is implemented using ActiveX (IE) or
XMLHttpRequest to get XML from somewhere.  Then the web page will parse the
XML and make dynamic changes to the based upon the returned XML. 

Another way I have seen it implemented (which makes more sense to me) is to
use javascript to append the response of a web page to the end of the 'web
page' (HTML, JSP, PHP, whatever).  For example, you request a web page, and
it will return 'alert("hello world");'... When that is appended to the end
of the page, it is executed.

The second method makes more sense to me because you don't have to do any
client side manipulation - all processing is done on the server side. 

What are the benefits of using either implementation?  Obviously the second
way is not typical AJAX due to the lack of XML - but its the same idea.
Also, are there any security related issues due to using either method? 

Thanks.


-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment With the rapid
rise in the number and types of security threats, web application security
assessments should be considered a crucial phase in the development of any
web application. What methodology should be followed? What tools can
accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------