Attention: We are retiring the ASP.NET Community Blogs. Learn more >

AJAX: A Hacker's Dream?

The warning flags are going up about the increasing use of AJAX in Web applications. It seems as though we're increasing the usability of our apps while dropping our guard on security issues. There's a great post by Dan Sellers on multiple potential vulnerabilities in the misuse of the technology. Here are some of the issues Dan discusses:

  • Web services left wide open to denial-of-service attacks on endpoints
  • Broader attack surfaces created when the attacker can see function names, variables, parameters, return type, and data types
  • JavaScript Web service proxies give hackers direct access to trusted resources for SQL injection attacks
  • Out of band JavaScript calls injected by bad guys present a silent and unseen danger
  • Hackers could use cross-site scripting to propagate malware like a worm

As Dan suggests, AJAX controls should carry warning stickers about new client-side security issues.

 

1 Comment

  • I delivered a session at the Microsoft Finland WebDay 2006 event covering all of these problems.

    AJAX is not the issue, it's our useage of it.

    We need to push a heavy education plan to the community detailing what we can do to mitigate the risks.

Comments have been disabled for this content.