|
Ajax applications may be less secure than standard Web applications. At a minimum, splitting an app into two distinct programmatic components—one for the browser, one for the server—appears to open up Ajax-specific vulnerabilities.
Although the ‘X’ in Ajax stands for XML, many Web 2.0 apps don’t actually use XML as a container for the data being sent to and from the client and server. Instead, they pass data as a JavaScript object or as code that can be evaluated in JavaScript, simplifying client-side processing.
The problem—recently highlighted in a Fortify Software advisory and originally described over a year ago—is that this approach leaves users vulnerable, in particular, to cross-site request forgery attacks. In such an attack, a Web site can cause your browser to make requests to another domain name with your current session cookie for that site, and access the returned data by overriding default JavaScript functions.
This means a lot of Ajax applications must be updated. If the framework developers can’t get it right, what are the odds that an average developer can keep Ajax apps secure?
|