Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

AJAX Vulnerabilities != Web Services Vulnerabilities

AJAX is in the news. Not for being an exciting "new" (I disagree with this description and anyone who makes such a claim, for the record) technology but for its ability to potentially expose clients (browsers, really) to vulnerabilities.
Forum Systems sent out an alert this week regarding AJAX through its Vulcon XML security alert service. It was picked up by everyone who follows not only Web 2.0 news, but Web Services as well.

The concern is not necessarily for the server, though the server side components of AJAX could potentially be exploited, but for the client. Because AJAX takes advantage of JavaScript to parse and excute commands on data coming back from the server, and because those functions are generally visible right in the source of the page, they are vulnerable to being exploited.

While a man-in-the-middle attack could potentially exploit the basic workings of AJAX, it's more likely that mean-spirited functionality would be planted on a server and the client somehow directed to the site, resulting in "bad" code maliciously doing something nasty to the user's system.

Opponents of Web Services might view this as yet another reason to stay away from such technology. But this isn't a Web Services problem, it's not a SOAP problem, nor is it really a server side problem. It's wholly on the client's shoulders at this point as the entire technology set must rely upon the scripting language available within the browser to implement the technology. The use of underlying objects accessible through JavaScript in the browser to accomplish this task are indeed ingenious - a much better solution than say using a DIV and an IFRAME and some PHP calls, although the result is strikingly similar.

The problem is that there aren't too many "free" or at least inexpensive alternatives. Although Adobe has announced it will freely distribute the SDK for its Flex 2.0 technology, which is not only asynchronous but also synchronous and utilizes a pub/sub model for bi-directional communication, only the SDK is free; the design-time environment will still cost ya a pretty penny, even if you're just trying to learn about the technology.

  • 1