Ajax security hazards will be site time bombs (1)

Source: Internet
Author: User

Ajax is a web development technology used to create interactive web applications. Its development is very different from the traditional CS development. These differences introduce new programming problems, the biggest problem is ease of use. Currently jQuery, Mootools, Dojo, and Ext JS are popular Ajax frameworks.

However, along with the development of Ajax applications, we have discovered some of its shortcomings, and we have found that its security vulnerabilities are gradually becoming larger, it is like slowly placing Ajax-based sites into a time bomb.

Benefits of Ajax

In the era of Web applications, things were very simple. You fill out a form, click the "Submit" button, and the current screen disappears. After a while, you will be transferred to the next page. Today's situation is no longer the case. What users need is a Web experience that is as smooth, fast, and user-friendly as any desktop application.

Ajax is often used in collaboration with DHTML (Dynamic HTML). The smooth execution of Ajax requires that JavaScript code on the webpage be allowed to communicate seamlessly with the web server in the background. For example, when you start to input something in the search box of Google Suggest, the web page will start to exchange data with the server in the background, and then give some entries that you may need. All of this requires no page refresh or any button. That's why applications like Gmail can perform real-time spelling checks.

How Ajax works

The complex principles of Ajax are beyond the scope of today's explanation. Here is a brief description. The JavaScript code on your page can contact your Web server without relying on users. The core role here is the JavaScript XMLHttpRequest object, which can be triggered either in the background or asynchronously by a user tapping the keyboard or clock event (that is, the term Asynchronous JavaScript and XML ). If you enter "Ajax" in Google Suggest, you will get the same server request as the one I entered:

1. www.google.com/complete/search? Hl = en & js = true & qu = aj
2. www.google.com/complete/search? Hl = en & js = true & qu = aja
3. www.google.com/complete/search? Hl = en & js = true & qu = Ajax

The XML part in this term may cause misunderstandings. In fact, this Part has no meaning. It is the name obtained from a JavaScript Object, and many Ajax-style applications use XML, which can send a request to the server for any transaction. Even JavaScript code itself can be retrieved and evaluated. After entering "Ajax example", the following response will be generated from the Google Server:

  1. sendRPCDone(frameElement, “Ajax example”,   
  2. new Array(”Ajax example”, “Ajax examples”),   
  3. new Array(”153,000 results”, “177,000 results”),   
  4. new Array(”")); 

This will give you some hints about powerful Ajax. It has the ability to add new JavaScript code to the browser at runtime (on the fly. However, the optimal method seems to have bound the XML protocol. For example, Google generates the following: Ajax example 153,000; Ajax examples 177,000.

Obviously, you can interpret the XML data in a suitable form, but thanks to JavaScript, it can handle XML objects very well under some very typical restrictions and a lot of annoying IE Bug environments. To help you understand some Ajax problems, I am here to introduce you to a hypothetical travel company, "cutting-edge travel companies of the Times ". Driven by Ajax bugs, Max Uptime, the main Web developer, decided to use Ajax in combination to create such an application. In this way, he is at the forefront of the times.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.