Excellent post on The Register entitled Reduce your exposure to AJAX threats, which talks about three pieces of advice you need to keep in mind when developing AJAX applications. There’s nothing new in terms of security principles, just an application to the fact that a good portion of AJAX applications work on the client’s browser and so are open to client-side manipulation. And if you are using a toolkit that generates AJAX for you, you may not realise how much you are giving away. Here are the main points:
- Keep data seperate from code: The client and server portion of your application will be exchanging data, and potentially code (thanks to the “magic” that? our rich DOM-based paradigms offer today). Make sure the data you exchange never gets executed or used before it is validated. This protects you from injection-type attacks, regardless on the data transport technology you are using. Always assume your data is carrying a dangerous payload and needs to be cleaned. This will protect your code in the long run.
- Beware encoding: If your data is encoded, then this makes it harder for you to see what’s being sent back and forth. Encoding can be broken relatively easily in this case as the client code is visible to anyone who wants to crack your application. If you do use encoding, make sure you are explicit at both ends as to what you are using and make the handshake between your applications “firm”.
I learnt quite a bit about how dangerous AJAX can be while building WP Auctions, but it’s good to see the risks articulated by someone else. Unfortunately, AJAX application are easier to break than? discount furniture, so full awareness of the risks you are exposing yourself and your clients to is of paramount importance. The good news is that if you understand what you’re doing, AJAX gives you the ability to provide a rich experience in a technology-agnostic way to potentially millions of users.