AJAX and security
Posted Sep 7, 2006 4:27 UTC (Thu) by mrshiny
Parent article: AJAX and security
I'm curious about real exploits that are made possible by AJAX that don't exist otherwise.
Frankly, from the server's perspective, you still have an untrustworthy client making requests to a publicly available service. This is not new. The fact that you can dynamically request part of a page instead of a whole page changes nothing.
Also, the notion that SQL Injection or XSS attacks are somehow made worse in the presence of AJAX is strange to me. For one thing, XSS has always been able to use XmlHttpRequest, and can do so even if the host site doesn't normally use AJAX. Also, SQL Injection is a plain case of developers writing bad software, just like buffer overflows. This is a question of developer education and has nothing to do with AJAX.
Finally, an AJAX Bridge sounds just like an HTTP proxy; running an open proxy is stupid (from a security standpoint) and so is running an AJAX bridge.
to post comments)