Ajax Security
Ajax is sweeping across Web site development projects like a wildfire. Ajax is a multi-dimensioned technology with communications back-and-forth between client and server and manipulation of the document object model (DOM) at the browser. The power of Ajax enables browser-based applications to perform much like a desktop application with real-time notifications, partial-page refreshing, and other inviting features. However, this power comes at the price of additional security threats and must be managed accordingly. Some of these threats include:
- Security controls embedded in client-side scripts where attackers can access and modify
- Increased complexity of the programming domain, therefore increasing the testing requirements and the potential for attacks
- Lack of authentication and input validation controls for the non-business user audience
- Increased potential for cross-site scripting and cross-site request forgery attacks
- Dynamic JavaScript evaluations leading to the potential for dynamic JavaScript script attacks
The Ajax landscape is definitely and exciting one, but fraught with new threats. Therefore, a shrewd development team must incorporate new methodologies and testing techniques to thwart these new threats.
