Experts Say Ajax Not Inherently Insecure 82
An anonymous reader writes "Jeremiah Grossman (CTO of WhiteHat Security) has published Myth-Busting - an article dismissing the hyped-up claims that AJAX is insecure. He says: 'The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true ... Word on the cyber-street is that AJAX is the harbinger of larger attack surfaces, increased complexity, fake requests, denial of service, deadly cross-site scripting (XSS) , reliance on client-side security, and more. In reality, these issues existed well before AJAX. And, the recommended security best practices remain unchanged.'"
Vulnerability in practice is just as bad or worse (Score:5, Insightful)
It's not the (non-existent?) inherent security problems in the bundle of techniques we're referring to, it's the weaknesses that show up in the practice of shoddy implementation, cheezy hosting platforms, etc. There's nothing wrong with AJAX, it's the AJAX-envy among less sophisticated operators that we have to worry about. We just have to quit saying it's 'easy' to implement, because none of the underlying bits and pieces are (in terms of being bullet-proof) are 'easy,' and a browser-agnostic soup of a couple dozen of those bits is that many times harder.
Existing Best Practices (Score:2, Insightful)
With open-source, you can examine the source before you run the program, and can take steps to ensure that the program you run is compiled from the source you examined and that it's unchanged since the last time you ran the program. There's no good way to do the same thing with Javascript
"Not trusting someone who
Where the heck did this hype come from? (Score:3, Insightful)
All AJAX really gives you is that first 'A': asynchronous. All the other underlying mechanics of client-to-server communications over HTTP apply. This means that your security checklist is absolutely no different than using a good old-fashioned [form].
To slam AJAX as insecure as a technology is just bad thinking to begin with - it's a tool, that's all. Whether or not it's used in a secure fashion is really more a best-practice and/or training issue.
Besides, didn't we already go over all this when Web-Services were a big deal?
Re:Best security practices (Score:2, Insightful)
Is javascript really that horrible?
Re:Best security practices (Score:3, Insightful)
It's the Javascrpt that's the pain really. I tried using the noscript extension for a while, but it was actually more of an inconvenience than the risk of running something malicious. Seems that a very high number of webpages - and the most improbable ones too - use javascript and are dysfunctional if you disallow it. I'm not sure how to win with this - a little risk for a higher quality of web browsing? It's what I do, but not what I want.
Re:That article was a mixed bag (Score:2, Insightful)
Um, a blob of XML. Quoting and escape characters are a big source of vulnerabilities. XML has well-defined quoting rules. CGI parameters have no structure, so structure must be done ad hoc. XML structure can be validated on the server using XML Schema or Relax, or other mechanisms.
Re:Best security practices (Score:4, Insightful)
Sites should function without script for accessibility and only the bad guys would stand to lose from a more realistic approach to security by browser vendors.
When you can write a new version of Google's spreadsheet program that uses only HTML and CSS, I'll go along with the idea that we should get rid of javascript.
deadly cross-site scripting (Score:3, Insightful)