Secure Coding mailing list archives
Is there any Security problem in Ajax technology?
From: gwc at acm.org (George Capehart)
Date: Mon, 13 Mar 2006 15:30:04 -0500
Dinis Cruz wrote:
I personally think that AJAX has the potential to create very insecure applications because it pushes the data validation and authorization layers back to the client (i.e. the browser) "AJAX brings 'Back the Rich Client' and all its security problems" Kentaro, on your AJAX application you must follow the rule-of-thumb of not trusting any data supplied by your own Client-Side-AJAX functions, and authorize every request. In a nutshell: any data validation and authorization decisions/actions made at the Client-Side-AJAX functions are only there for usability, and have NO security value.
I enthusiastically agree with the above. I'll take it further and suggest that, even then, the input from the Web should/must be examined and sanitized before use . . . /*still*/ need to check for SQL injection attacks, etc. IMNSHO, identification, authorization and validation should always be done by the part of the system that is at risk if the input is bad (in any of the connotations of bad) . . . Cheers, /g
Current thread:
- Is there any Security problem in Ajax technology? Kentaro Arai (Mar 06)
- <Possible follow-ups>
- Is there any Security problem in Ajax technology? Dinis Cruz (Mar 06)
- Is there any Security problem in Ajax technology? George Capehart (Mar 13)
- Is there any Security problem in Ajax technology? Gadi Evron (Mar 14)
- Message not available
- [Owasp-dotnet] Re: Is there any Security problem in Ajax technology? George Capehart (Mar 15)
- [Owasp-dotnet] Re: Is there any Security problem in Ajax technology? Gadi Evron (Mar 16)
- [Owasp-dotnet] Re: Is there any Security problem in Ajax technology? George Capehart (Mar 16)
- Is there any Security problem in Ajax technology? George Capehart (Mar 13)