Comments on: Is your application secure enough?

By: Le Khac Nhu

Le Khac Nhu — Tue, 11 Apr 2006 06:59:27 +0000

It will secure if script on server is secure! (PHP secure => Ajax secure :D)

By: sean g

sean g — Thu, 06 Apr 2006 16:03:02 +0000

i agree with tim leonard. this whole web 2 ajax thing has turned a lot of web designers into programmers; which is a good thing, but the issue of security is so important it should be learnt as a fundamental.

what people are missing is that we’re still dealing with plain jane http here, nothings really changed.

By: Tim Leonard

Tim Leonard — Thu, 06 Apr 2006 13:59:47 +0000

At first, I wasn’t sure… but now… I’m almost sure…

AJAX web-apps seem to be as secure as the ASP/PHP you build it on.

If you know how to manage ASP/PHP sessions properly and implement them into the pages you make your XMLHTTP calls to… your security should be as strong as it always has been.

The AJAX security scares seem to only really be relevant to coders who have no common sense and haven’t dealt with authentication-at-all-stages before. (ie. Somebody who isn’t a secure web-app developer in the first place… which is something they should learn at the server-side code stage anyway!!!)

I know… that’s kinda rough.. but I’m sure I’m not far off the truth.

(at least.. having developed lots of web-apps… that’s what I’ve observed so far.)

By: Hakan Bilgin

Hakan Bilgin — Thu, 06 Apr 2006 09:46:57 +0000

After reading the post I discovered at “Darknet.org.uk”, I discovered that the author is talking about a similar solution though setting the “token” on the serverside as a session variable will bind the token to the visitors window, making the server-client-communication more trusted. This phenomenon seems to have escaped the author.

By: Hakan Bilgin

Hakan Bilgin — Thu, 06 Apr 2006 09:15:12 +0000

What do you think about this solution? The idea is unfinished since not “all” possibilities is delt with yet.

When the document is requested from the server, the server creates a uniqueId and set it as a session variable and also writes it to the documents javascript. Now the session variable is explictitly bound to the window requesting the document.

On every Ajax request made to the server, the variable has to be sent as well. Before the serverside Ajax handler does anything, it checks whether the session variable is the same as the sent variable;
- If it is the same continue (request origins from a page issued by the server)
- Else ignore the request (request origins from untrusted source)

This is the serverside…about clientside code injection:
- The drag’n drop injection can be cancelled.
- Location bar injection is possible way to inject code (open a window without location bar?)
- GreaseMonkey is a huge problem; an attacker can build custom tools to attack the server. I don’t know how this can be stopped.

This is not a definite solution but augments the security a nudge. I am very intressted in other and/or additional suggestions. This is an important topic.

By: Ed Frederick

Ed Frederick — Wed, 05 Apr 2006 19:22:23 +0000

I think the article was pretty terrible–the whole issue of POSTs being harder to ‘fake’ is pretty silly.

In addition, the business with cross-site request forgery is pretty off topic, especially considering XHR does not allow you to make cross-site requests.

Securing ajax apps is no different than securing any other dynamic webapp. The real risk is that with all of this exuberance and fine-grained access, people can fail to see the forest for the trees.

By: ShaolinTiger

ShaolinTiger — Wed, 05 Apr 2006 16:54:39 +0000

I agree, its similar to any dynamic web application but a lot of people flocking to web apps don’t look at the basic issues with web transactions.

Yah AJAX is just a new way of doing old things and it cuts down on refreshing whole pages, but it does add new vectors of attack so I think it should be a consideration, especially for developers going straight into AJAX.

By: Jim Plush

Jim Plush — Wed, 05 Apr 2006 16:51:18 +0000

I think it is newsworthy as new developers are flocking to ajaxify their apps before even thinking about common security flaws common to all of their pages. I’m seeing alot of developers completely trusting the user input, thinking their ajax server page is only getting requests from their scripts. Security awareness is always news.

By: Mario

Mario — Wed, 05 Apr 2006 15:17:52 +0000

Whats the deal. If you made insecure apps before ajax you will continue the bad habits with ajax. Ajax is not some black magic, basically a form submit… just sent without refreshing… why is this even news worthy?