Wednesday, August 9th, 2006

Cross-Domain Ajax Insecurity

Category: Ajax, Security, XmlHttpRequest

Chris Shiflett has posted his look today at cross-domain Ajax requests and some of the security implications that can come with it, especially in a world where more and more developers are beginning to think it’s okay. Since the birth of Ajax (the term, not the technology), there has been an increasing interest in various Read the rest…

Posted by Chris Cornutt at 10:03 am

3.7 rating from 67 votes

Tuesday, August 8th, 2006

Ajax Hacking for Fun and Profit?

Category: Articles, Security

Apparently, not all is well in the world of Ajax (who knew?) according to this news story on the USA Today website. In it, they talk about the malicious nature of some Ajax function they’re seeing, and how it’s on the rise. Recent high-profile attacks include June’s Yamanner computer worm, designed to harvest e-mail addresses Read the rest…

Posted by Chris Cornutt at 8:33 am

3.1 rating from 29 votes

Thursday, August 3rd, 2006

A Number of Ajax Security Items

Category: Security

CNet has a roundup of the state of play in Web 2.0 security, entitled The security risk in Web 2.0. It recaps recent Yahoo! Mail and MySpace worms and points the finger of blame squarely at Ajax: One of the key enablers of the flashier Web sites is a programming technique known as AJAX, which Read the rest…

Posted by Dietrich Kappe at 12:34 pm

4.1 rating from 15 votes

Wednesday, August 2nd, 2006

Securing Access to Ajax Proxy Servers

Category: Java, Security

A little over a week ago, we linked to a blog by Sun Ajax guru Greg Murray (creator of jMaki) discussing his small Ajax server-side proxy framework for Java, called (creatively enough) XmlHttpProxy. Greg’s back with a new blog discussing five different options for securing server-side Ajax proxy servers: 1. Token Based Restriction – Limit Read the rest…

Posted by Ben Galbraith at 11:33 pm

3 rating from 7 votes

Thursday, June 15th, 2006

AJAX Storage Security

Category: Articles, Security, Storage

Corey Benninger of Foundstone has written a paper on Ajax Storage Security (pdf): I wanted to let you know Foundstone has a white paper on their website about AJAX Storage from a security angle. The paper focuses mainly on where Flash shared objects (used in Dojo), and IE persistence user-data, gets stored on the local Read the rest…

Posted by Dion Almaer at 8:40 am

4.3 rating from 29 votes

Tuesday, May 30th, 2006

Sprajax – An Ajax Security Scanner

Category: Security, Utility

On the Pathfinder blog today, there’s a new entry about a new security offering for the Ajax community – Sprajax. Sprajax is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities. Denim Group, an IT consultancy specializing in web application security, recognized that there were no tools available on Read the rest…

Posted by Chris Cornutt at 8:24 am

3.4 rating from 32 votes

Wednesday, April 12th, 2006

XHR SQL Injection: Ajax Antipattern Illustrated

Category: Remoting, Security

Some of you will be familiar with, a website showcasing code in the wild that is, well, less than professional. A recent forum item illustrates the ultimate Ajax antipattern: uploading arbitrary code to be executed on the server. Gustavo Carvalho discovered what happens when XMLHttpRequest and the Eval() function in PHP are combined. I’ll Read the rest…

Posted by Michael Mahemoff at 6:08 pm

4 rating from 38 votes

Wednesday, April 5th, 2006

Is your application secure enough?

Category: Ajax, Security

Ajax security is on everyone’s minds these days, whether it’s just a simple internal application or a large, public-facing hulking app. Worrying about the security of your project is never a bad thing, and to try to help direct your thoughts in the right direction, I wanted to share this post on that asks Read the rest…

Posted by Chris Cornutt at 7:43 am

3.4 rating from 30 votes

Tuesday, February 7th, 2006

Eric Pascarello Interviewed about Ajax Security

Category: Ajax, Security, XmlHttpRequest

On, there’s an interview with Eric Pascarello, co-author of the book “Ajax in Action” concerning some of the security issues that surround Ajax and how to address them. In this interview he talks about Ajax security issues, the need for server-side validation and the Ajax worm released last October on They start at Read the rest…

Posted by Chris Cornutt at 4:16 pm
1 Comment

3.4 rating from 38 votes

Ajax Security to be Added to OWASP Guide

Category: Ajax, Security

As a part of the upcoming version of the Open Web Application Security Guide project, Andrew Van Der Stock has posted his slides of a presentation he did as a preview of the “Ajax chapter” for the new guide (version 2.1). The slides can be downloaded in PDF form here (1.8MB) and you can signup Read the rest…

Posted by Chris Cornutt at 8:26 am

3.8 rating from 12 votes

Thursday, January 5th, 2006

Forget Your Passwords with Agatra

Category: Security, Showcase

Agatra is a new service for managing all your passwords. Based on your Agatra master password, it will maintain a list of logins and passwords for all your favourite websites. It’s more than a memory tool, because Agatra’s list of sites will actually launch the links – in most cases, you can login automatically from Read the rest…

Posted by Michael Mahemoff at 10:27 pm

3.6 rating from 19 votes

Saturday, December 31st, 2005

Cross-Site Phishing

Category: Security

Eric Pascarello suggests another risk of running Javascript from another domain: Using Javascript to fake a login page. Spoofing of a web page to get your information is so common. I see in my inbox that your —(insert bank, shopping site, etc) account is going to be removed if you do not verify your information. Read the rest…

Posted by Michael Mahemoff at 7:04 pm

3.8 rating from 71 votes

Wednesday, December 21st, 2005

Busting the Bots with Ajax

Category: Security

Wael Chatila has published the final of a three-part series exploring Ajax Security. The articles have covered: Using mouse gestures as passwords. Checking if keystrokes seem humanly. An Ajax CAPTCHA system. Each photo has several attributes, so “Animal, Costume, Boy” means a photo containing an Animal, Costume, and Boy. The list contains several descriptions like Read the rest…

Posted by Michael Mahemoff at 4:57 pm

3.3 rating from 8 votes

Thursday, December 15th, 2005


Category: Programming, Remoting, Security

Simon Willison, now at Yahoo!, reports that Yahoo! has JSONified itsAPI: As of today, JSON is supported as an alternative output format for nearly all of Yahoo!’s Web Service APIs. This is a Really Big Deal, because it makes Yahoo!’s APIs available to JavaScript running anywhere on the web without any of the normal problems Read the rest…

Posted by Michael Mahemoff at 6:51 pm

4.2 rating from 13 votes

Friday, November 25th, 2005

Web Browser Developers Work Together on Security

Category: Security

It was great to see browser developers getting together to take on security: Core KDE developer George Staikos recently hosted a meeting of the security developers from the leading web browsers. The aim was to come up with future plans to combat the security risks posed by phishing, ageing encryption ciphers and inconsistent SSL Certificate Read the rest…

Posted by Dion Almaer at 10:39 am
1 Comment

3.6 rating from 14 votes

Thursday, November 24th, 2005

Cross-Domain Ajax. Security Implications in Depth

Category: Security

Joe Walker has joined a discussion on Cross Domain XHR. He talks about the areas of concern: Resource Theft: Resource theft can happen when Jack Innocent visits the website of Evil Bob. Evil Bob has written some XHR code that repeatedly requests compute expensive pages from the site of Victim Inc. Thus Evil Bob gets Read the rest…

Posted by Dion Almaer at 2:01 am

3.1 rating from 9 votes