[LINK] AJAX May Be Considered Harmful

Craig Sanders cas at taz.net.au
Mon Jan 8 15:34:34 AEDT 2007

On Mon, Jan 08, 2007 at 02:13:57PM +1100, Roger Clarke wrote:
> At 11:49 +0900 8/1/07, brd at iimetro.com.au wrote:
> >The paper is called 'Subverting AJAX'
> ><http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf>
> >(pdf), and outlines a possible Web Worm that lives in the very 
> >fabric of Web 2.0
> >and could kill the Web as we know it."
> Unsurprisingly, the server's suffering overload ...
> Note the pre-counter at
> http://it.slashdot.org/it/06/12/01/1634203.shtml
> An anonymous reader writes
> "Jeremiah Grossman (CTO of WhiteHat Security) has published           
> Myth-Busting - an article dismissing the hyped-up claims that AJAX    
> is insecure. He says: 'The hype surrounding AJAX and security risks   
> is hard to miss. Supposedly, this hot new technology responsible for  
> compelling web-based applications like Gmail and Google Maps harbors  
> a dark secret that opens the door to malicious hackers. Not exactly   
> true ... Word on the cyber-street is that AJAX is the harbinger       
> of larger attack surfaces, increased complexity, fake requests,       
> denial of service, deadly cross-site scripting (XSS) , reliance on    
> client-side security, and more.                                       

the problem isn't specific to "AJAX" (which, really, is not a new
technology, it's just a fancy new name for web pages with javascript

the problem is inherent to running untrusted programs.  AJAX (and
javascript in general) doesn't increase the risk, it just makes it more
commonplace...especially as people start to think that trusting random
code from random sites is normal behaviour.

> In reality, these issues existed well before AJAX. And, the
> recommended security best practices remain unchanged.'"

yes. and teh recommended best practice is to disable javascript (and
java and shockwave and all other executable content from web sites).
enable them ONLY for sites that you would trust to run arbitrary
programs on your computer (remember that you can't restrict WHAT the
code does*, you can only decide whether the site can run js/swf/java/etc
code or not).

* with a few very limited exceptions. e.g. there are options in some
browsers to disable changing the status bar or popping up a new window.
those things are very specific actions and thus easy to block.


craig sanders <cas at taz.net.au>           (part time cyborg)

More information about the Link mailing list