Ajax security issues cannot be ignored

Source: Internet
Author: User
Tags web services client access
Ajax| Safety | issues

XML security Vendor Forumsystems a warning on security issues last month, and he believes that as more and more Ajax-style applications emerge, many organizations need to consider potential security flaws and performance issues.

"We are not making a warning," said Walidnegm, vice president of marketing at Forumsystems Company in Salt Lake City. We just feel the need to get people thinking about security and scalability requirements. We are always looking at technologies that use XML. This is our business. ”

Ajax is the abbreviation for asynchronousjavascriptandxml. It enhances the user experience by creating rich network applications. According to forum, Ajax increases the amount of network traffic in XML, text, and HTML by using more interactive pages that interoperate with Web services. But the company believes that the load becomes a weakness for Web services because it relies on XML as a request/corresponding content type. The company also points out that by converting users ' web browsers into Web services portals, AJAX communication models increase the reliability of browser processing.

Forum Company is trying to improve XML content filtering, Web Services security, and XML speed-raising capabilities.

Negm points to a number of potential problems. First, he says, malicious users could send dirty data, especially to create aggressive clients. Another problem is unauthorized user access. In an AJAX application, an authorized user can quickly improve his or her level without server-side protection.

The biggest threat is bad form of data. He said: "Because of the use of asynchronous code." Denial of service can occur easily. One potential result is a server outage, or a denial of service that causes the server to crash. ”

"Ajax has some security problems with Web applications, and unless you install the application firewall on the server side, you can be protected," Negm said. ”

"Although performance is a big problem, you need to consider how data affects performance," he said. Ajax allows you to better validate data, but you have to deal with additional validation requirements, which is also a headache for the server. ”

Asked if it was a bit selfish to give a warning, Negm replied: "There is a problem, but there is a greater risk of not presenting it." We are satisfied with our safety record. The details behind the warning are necessary to be explored. It's not a rush, but we're getting developers to study this. ”

Jasonbloomberg, senior analyst at Zapthink Company in Waltham, Massachusetts, said: "The security problem with Ajax is that simple Web pages can't face it, and it's very necessary to understand that." Forum has begun to pay attention to the threat, so it is natural to issue a warning. ”

Adaptivepath is a consulting firm with a user experience in San Francisco. "In a way, AJAX applications move business logic from server to client, so business logic is exposed," says Jessejamesgarrett, director of the user experience strategy. Depending on the application, this approach increases the potential security risk. ”

Garrett said: "The next issue is data security." Ajax applications can rely on the web's underlying encryption layer to encrypt XML documents that are data communications. ”

Garrett said: "In addition, Ajax has a problem." What we do is reduce the user interaction in the server communication. Now, server communication is completely invisible to the user, so you can send the data in the user's opinion. This is a big risk. ”

Dionalmaer is one of the founders of the Ajax community Ajaxian.com, who believes that nothing in Ajax is unsafe, but there are still some problems.

"Developers have to figure out what they're doing," he said. You can develop a very rich Ajax application that requires sending data from the browser to the client. You need to make access to the server secure, just as you would when using desktop technology. For example, you don't want your AJAX application to be able to send any SQL Server to the backend and run it. Hackers can take advantage of it and manually send unwanted requests. Also, do not perform eval () on anything, and be wary of XSS probes. ”

"The bottom line is to keep your server side as secure as possible," Almaer said. It's good for you. ”

Garrett responded: "The most important thing to develop and deploy any application is good planning." Developing Ajax has a certain amount of complexity, which allows the development team to think more about making choices. ”



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.