> -----Original Message----- > From: Bryan Stevenson [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 03, 2006 1:58 PM > To: CF-Talk > Subject: AJAX and security > > It has just hit me that AJAX may not be all that safe.
There are at least two angles to explore... >From the server perspective AJAX isn't any safer or more dangerous than any other data path: you have to cover your ass. Whether the information is coming in from a form (hidden or visible fields), a web service call, the URL or AJAX (which is really just another way to do those others) you have to validate the information and make sure it's safe. >From the end-user perspective it's not that much different... but there are some risks. You still have to trust the site that you're using but AJAX techniques make some things potentially more dangerous. Coupling AJAX code with cross-site-scripting vulnerabilities is a very dangerous combination. If a script could run and send information from a site to an unauthorized server - well, that's bad. AJAX techniques let you, in theory, do this without the user's knowledge (but that assumes, of course, that the appropriated vulnerability exists and is being exploited). There are also potential privacy concerns since AJAX allows for a paradigm switch in communication with web sites. For example you might have, in the past, filled out a form with personal information (or a nasty rant) to some site then, before submitting (committing) it cleared or cancelled it. With AJAX the information in that form could be sent to the server regardless, without the explicit consent implied by the "submit" button. This is a gray area to be sure - and it's mirrored in other industries. For example you might know (although most people don't) that most phone support facilities record the conversations even when you're on hold - they "listen" to you even when the actual representative isn't (or isn't seeming to). Now this isn't illegal - you initiated the communication link so they've every right to keep it open - but it is a little disconcerting. AJAX has the potential to bring similar confusion online. A simple example you're probably familiar with: the "I agree to the terms" checkbox. Today you check the box but actual acceptance doesn't REALLY happen until you submit the form. You can clear the box if you like. In the AJAX world just clicking the box might transparently and immediately send the information available so far: you DID click the box. Clearing it later doesn't mean anything (trying un-signing a contract and see how far you get). You've accepted and AJAX allowed the site to grab your data. I'm not saying this is or even will become a major issue: but it does represent a distinct, if subtle change in the way people must consider web site interaction. Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:228285 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
