eWeek: AJAX Poses Security, Performance Risks

[pmeunier at cerias.purdue.edu (Pascal Meunier)]

On 1/30/06 1:09 PM, "Kenneth R. van Wyk" <Ken at krvw.com> wrote:

> Any AJAX experts here want to comment on the eWeek article cited below?
>
> http://www.eweek.com/article2/0,1895,1916673,00.asp
>
> It claims, among other things that, "AJAX dramatically increases the amount of
> XML network traffic being transmitted, exposing applications to Web services
> vulnerabilities".
>
> Cheers,
>
> Ken van Wyk

AJAX bothers me strongly for none of the reasons mentioned, which are
"curiously" limited to the capabilities of the "solution" from the same
source as the alert.  AJAX:

- Forces people to open their browsers to potentially malicious client-side
scripts from other sites, unless users actively manage their IE zones (I've
rarely found people who even know how to use them) or use something like the
NoScript firefox extension (and even then it needs better SSL support as it
depends and trusts DNS unless you specify the fully-qualified url).
JavaScript is a notorious attack vector.  I have the same issue with Windows
Media Player 10 (the internet radio part requires JavaScript to work) and
any site that forces visitors to use JavaScript to access content.
Requiring JavaScript is unconscionable, security-wise, in my opinion.

- Tempts software developers to assume that it's their code that is running
on the client, and trust it with input validation, access control, and
sensitive values.  This is a repeated, typical mistake in client-side
scripting.  Why tempt people into doing stupid things?

Cheers,
Pascal