Actually, it should be noted that there isn't really anything that much more insecure about AJAX applications than about regular web applications. Of course, Web 2.0 services should concern Cross-site Scripting attacks, but this is something regular web applications should think about too. The article mentions a file "getnews.aspx?date=09262006", which may be susceptible for SQL injections, but a regular page like "article.aspx?id=1234" is as susceptible for SQL injections as the mentioned example.

They also mention how you can change the code of a JavaScript file to meet your own (malicious) needs, but - again - while this definitely isn't something to forget, you could do the same with forms. So, while you should handle XMLHttpRequests not coming from your script, you should also consider HTTP POSTs coming from other servers. Of course, with a good separation of your code, this shouldn't impose any large problems, as you should always validate the user's input before processing and using it.

The bottomline is: these are all things you should bear on, but there are a lot of other security concerns you should care about too. This article digs deeper into two possible security flaws AJAX-powered sites may deal with, but there are a lot of other gotcha's still out there. Try to separate your code on intention (for example, using the MVC paradigm) and validate the user input, and that should be fine (just don't do anything for the sake of doing it quick and messy).

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1879/710#710