Hi Andrew, I replied to you on the Ajax mailing list with the following:
You really should consider what data you *have* to send over vs. sending *all* data over. You can do things such as making smaller XHR requests or returning fully formatted HTML that contains the results you're expecting. It appears that you're biggest worry is someone determining your data structure from what's being returned from your XHR request. If thats the case, as James Holmes suggested, try aliasing your columns. In addition, you might also want to consider another data format such as JSON or XML where you can define how your data nodes will be named and used within your JS. In essence, that is a form obfuscation. Finally, here's some good reading for you on Ajax security. These articles helped me out and hopefully will help put you at ease: http://www.securityfocus.com/infocus/1868 http://shiflett.org/archive/250 Rey... Andrew McDuff wrote: > Hi everyone, > > I'm started to get worried about security whilst developing some test apps. > I'm using a combination of MX7 (mainly form work and queries), AjaxCFC > (standard XMLHttpRequest calls to CFCs) and JS to do quite a bit of DOM > manipulation in the callback Ajax function. Basically, I'm using the CFWDDX > tag (with the "cfml2js" parameter) which takes a CF query and dynamically > creates a JS WddxRecordSet object which also contains an array containing the > data from the query. In this case, this is achieved via the WDDX JS library. > AjaxCFC is also using the same WDDX technique. > > By using the WDDX technique, the resulting JS RecordSet objects lend-up being > visible in the user's browser. Therefore, all the data from the queries can > be openly seen in the "view source". I can't use an obfuscator because the JS > WddxRecordSet is created dynamically by both CFWDDX and AjaxCFC. It's a bit > 'nasty' for user's / hackers to start unravelling your database work by > studying the JS WddxRecordSet code across a number of different Ajax apps and > / or invite folks to try all sort of hacking techniques, etc..etc.. But what > to do? > > The answer seems to be move more of the work to server-side and avoid / > reduce Ajax - after all, one of Ajax's central theme is the XMLHttpRequest > object and well, that's Javascript. Maybe I could move the cfwddx tag into a > CFC which is invoked via an AjaxCFC call ? (Although I don't know if that > would help much - at the end day, you can go to the browser's cache and get > what you want). Is the answer (perhaps, controversially) just avoid Ajax > altogether and stick to good old page-to-page, step-by-step navigation in a > web-app (standard shopping-cart style apps)? > > Anyone else out there with any thoughts / ideas or have started looking at > techniques to make things 'harder' ? > > Cheers, Andy > > Madrid, Spain > > p.s. Apologies - I've also posted this in the Ajax forum but it doesn't look > too active. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269604 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
