Dangers of Ajax

I'm always one for exploring new technologies, and in recent months my focus has been on Ajax, and Rich Internet Applications, mainly because this is what I do at Bitopia. One thing that has been bothering me about the resurgence of javascript, is that it places too much emphasis on the client side. People are diving into this more easily accessible technology without thinking properly and considering the dangers.

Imagine an application that relies on processing a form using Ajax. Two methods are used, one to examine and check the form for errors and correct content, and the other to send the form to the server for processing. Using a simple javascript console, or the more advanced Greasemonkey plugin for Firefox, a hacker could easily fill in the form, and manually call the form submission. The server assumes that the javascript on the clientside has already checked the form and processes the information. This presents a clear security risk.

I know, it's a poor example, but it does highlight the need for increased developer awareness of these issues. Relying on javascript for validation is a big mistake, and i've noticed a few sites out in the web that will remain nameless, that could be exploited using the tools mentioned.

Form validation in javascript should only be used to reduce bandwidth and provide better information for the client to understand why a form field contains content that isn't acceptable. It is important to mirror or better the validation on the server side, so that a hacker cannot exploit your website or application.

Your Details

Reader's Comments

This article was written by

Sam Benskin

Sam Benskin
Guest
posted on 3rd March 2008 under Innovation.
There are 0 comments.

Share this Article

Post this article on Facebook Post this article on Reddit Post this article on Digg Post this article on LinkedIn Post this article on Twitter Post this article on StumbleUpon Post this article on Technorati Post this article on Del.icio.us
Customer Login
hide