Dinis Cruz wrote: > I personally think that AJAX has the potential to create very insecure > applications because it pushes the data validation and authorization layers > back to the client (i.e. the browser) > > "AJAX brings 'Back the Rich Client' and all its security problems" > > Kentaro, on your AJAX application you must follow the rule-of-thumb of not > trusting any data supplied by your own Client-Side-AJAX functions, and > authorize every request. > > In a nutshell: any data validation and authorization decisions/actions made > at the Client-Side-AJAX functions are only there for usability, and have NO > security value.
I enthusiastically agree with the above. I'll take it further and suggest that, even then, the input from the Web should/must be examined and sanitized before use . . . /*still*/ need to check for SQL injection attacks, etc. IMNSHO, identification, authorization and validation should always be done by the part of the system that is at risk if the input is bad (in any of the connotations of bad) . . . Cheers, /g _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php