WebApp Sec mailing list archives
Re: Ajax Security discussion for the OWASP Guide
From: John Manko <jmanko () johnmanko com>
Date: Fri, 23 Sep 2005 12:37:36 -0400
The "client/server interactions" that are taking place needs to be divided into two security aspects: from the perspective from the client, and from the perspective from the server. If I'm developing a web application and implementing AJAX features, the only concern I have is validitating that the request is coming from a legitimate user session and that the request is functionally acceptable. The user's security concern is of no consequence to me. Now, as a user, it would be nice to know if a page to communicating to a remote server. Perhaps browsers should consider allowing more detailed javascript enable/disable features, apply different rules to different sites, and notifications to user if certain restrictions are violated.
noname () nospace com wrote:
AJAX has the capability of subverting the presumed behavior of a web application, in the sense that even sophisticated users could not easily tell which client/server interactions are taking place and when. This may have security implications, for example if an application sends back to the server each keystroke as it is typed; this could potentially reveal sensitive information (wrong credentials, inadvertently typed by the user, etc.). It is probably more a problem of policy and of informing the end user of what is going on (and actually not all would understand what that means... but that's another story). Basically a new thing to consider is that AJAX may break the usual web application paradigm as we know it.
Current thread:
- Ajax Security discussion for the OWASP Guide Andrew van der Stock (Sep 22)
- Re: Ajax Security discussion for the OWASP Guide Serg Belokamen (Sep 22)
- <Possible follow-ups>
- RE: Ajax Security discussion for the OWASP Guide Luke Fraser (Sep 23)
- Re: Ajax Security discussion for the OWASP Guide noname (Sep 23)
- Re: Ajax Security discussion for the OWASP Guide Andre Ludwig (Sep 23)
- Re: Ajax Security discussion for the OWASP Guide John Manko (Sep 23)
- Re: Ajax Security discussion for the OWASP Guide focus (Sep 24)