Is Web 2.0 Inherently Insecure?

Many Web 2.0 apps pass data as a JavaScript object or as code that can be evaluated in JavaScript. This approach leaves users vulnerable, in particular, to cross-site request forgery

April 12, 2007

1 Min Read
Network Computing logo

Ajax applications may be less secure than standard Web applications. At a minimum, splitting an app into two distinct programmatic components--one for the browser, one for the server--appears to open up Ajax-specific vulnerabilities.

Although the "X" in Ajax stands for XML, many Web 2.0 apps don't actually use XML as a container for the data being sent to and from the client and server. Instead, they pass data as a JavaScript object or as code that can be evaluated in JavaScript, simplifying client-side processing.

The problem--recently highlighted in a Fortify Software advisory and originally described over a year ago--is that this approach leaves users vulnerable, in particular, to cross-site request forgery attacks. In such an attack, a Web site can cause your browser to make requests to another domain name with your current session cookie for that site and access the returned data by overriding default JavaScript functions.

This means a lot of Ajax applications must be updated. If the framework developers can't get it right, what are the odds that an average developer can keep Ajax apps secure? --Jordan Wiens, [email protected]

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights