[Ajax] Top 10 Web 2.0 Attack Vectors

This technological transformation is bringing in new security concerns and attack vectors into existence. Yamanner, Samy and Spaceflash type worms are exploiting “client-side” AJAX frameworks, providing new avenues of attack and compromising some of the confidential information.

WEB 2.0 based applications use AJAX routines to do a lot of work on the client-side, such as client-side validations for data type, content-checking, date fields, etc. Normally, these client-side checks must be backed up by server-side checks as well. Most developers fail to do so; their reasoning being the assumption that validation is taken care of in AJAX routines. It is possible to bypass AJAX-based validations and to make POST or GET requests directly to the application – a major source for input validation based attacks such as SQL injection, LDAP injection, etc. that can compromise a Web application’s key resources.

This is just not a common mistake in Ajax code, it relates to all web pages and forms where you leave input validation to be handled by JavaScript on the client side. If you're concerned with what data you get fed by people, always check it on the server side. And not just data from form fields, also check data you get via web services, POX over HTTP or even the product catalog you import from trusted parts.