AJAX: A Hacker's Dream?
The warning flags are going up about the increasing use of AJAX in Web applications. It seems as though we're increasing the usability of our apps while dropping our guard on security issues. There's a great post by Dan Sellers on multiple potential vulnerabilities in the misuse of the technology. Here are some of the issues Dan discusses:
- Web services left wide open to denial-of-service attacks on endpoints
- Broader attack surfaces created when the attacker can see function names, variables, parameters, return type, and data types
- JavaScript Web service proxies give hackers direct access to trusted resources for SQL injection attacks
- Out of band JavaScript calls injected by bad guys present a silent and unseen danger
- Hackers could use cross-site scripting to propagate malware like a worm
As Dan suggests, AJAX controls should carry warning stickers about new client-side security issues.