On 1/30/06 1:09 PM, "Kenneth R. van Wyk" <[EMAIL PROTECTED]> wrote:
> Any AJAX experts here want to comment on the eWeek article cited below? > > http://www.eweek.com/article2/0,1895,1916673,00.asp > > It claims, among other things that, "AJAX dramatically increases the amount of > XML network traffic being transmitted, exposing applications to Web services > vulnerabilities". > > Cheers, > > Ken van Wyk AJAX bothers me strongly for none of the reasons mentioned, which are "curiously" limited to the capabilities of the "solution" from the same source as the alert. AJAX: - Forces people to open their browsers to potentially malicious client-side scripts from other sites, unless users actively manage their IE zones (I've rarely found people who even know how to use them) or use something like the NoScript firefox extension (and even then it needs better SSL support as it depends and trusts DNS unless you specify the fully-qualified url). JavaScript is a notorious attack vector. I have the same issue with Windows Media Player 10 (the internet radio part requires JavaScript to work) and any site that forces visitors to use JavaScript to access content. Requiring JavaScript is unconscionable, security-wise, in my opinion. - Tempts software developers to assume that it's their code that is running on the client, and trust it with input validation, access control, and sensitive values. This is a repeated, typical mistake in client-side scripting. Why tempt people into doing stupid things? Cheers, Pascal _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
