Re: Ajax Security discussion for the OWASP Guide

[John Manko <jmanko () johnmanko com>]

The "client/server interactions" that are taking place needs to be 
divided into two security aspects: from the perspective from the client, 
and from the perspective from the server.  If I'm developing a web 
application and implementing AJAX features, the only concern I have is 
validitating that the request is coming from a legitimate user session 
and that the request is functionally acceptable.  The user's security 
concern is of no consequence to me. 

Now, as a user, it would be nice to know if a page to communicating to a 
remote server.  Perhaps browsers should consider allowing more detailed 
javascript enable/disable features, apply different rules to different 
sites, and notifications to user if certain restrictions are violated.

noname () nospace com wrote:

> AJAX has the capability of subverting the presumed behavior of a web application, in the sense that even sophisticated 
> users could not easily tell which client/server interactions are taking place and when. This may have security 
> implications, for example if an application sends back to the server each keystroke as it is typed; this could 
> potentially reveal sensitive information (wrong credentials, inadvertently typed by the user, etc.).
> It is probably more a problem of policy and of informing the end user of what is going on (and actually not all would 
> understand what that means... but that's another story).
> Basically a new thing to consider is that AJAX may break the usual web application paradigm as we know it.
>
>
>