XML security Vendor Forumsystems a warning on security issues last month, and he believes that as more and more Ajax-style applications emerge, many organizations need to consider potential security flaws and performance issues.
"We are not making a warning," said Walidnegm, vice president of marketing at Forumsystems Company in Salt Lake City. We just feel the need to get people thinking about security and scalability requirements. We are always looking at technologies that use XML. This is our business. ”
Forum Company is trying to improve XML content filtering, Web Services security, and XML speed-raising capabilities.
Negm points to a number of potential problems. First, he says, malicious users could send dirty data, especially to create aggressive clients. Another problem is unauthorized user access. In an AJAX application, an authorized user can quickly improve his or her level without server-side protection.
The biggest threat is bad form of data. He said: "Because of the use of asynchronous code." Denial of service can occur easily. One potential result is a server outage, or a denial of service that causes the server to crash. ”
"Ajax has some security problems with Web applications, and unless you install the application firewall on the server side, you can be protected," Negm said. ”
"Although performance is a big problem, you need to consider how data affects performance," he said. Ajax allows you to better validate data, but you have to deal with additional validation requirements, which is also a headache for the server. ”
Asked if it was a bit selfish to give a warning, Negm replied: "There is a problem, but there is a greater risk of not presenting it." We are satisfied with our safety record. The details behind the warning are necessary to be explored. It's not a rush, but we're getting developers to study this. ”
Jasonbloomberg, senior analyst at Zapthink Company in Waltham, Massachusetts, said: "The security problem with Ajax is that simple Web pages can't face it, and it's very necessary to understand that." Forum has begun to pay attention to the threat, so it is natural to issue a warning. ”
Adaptivepath is a consulting firm with a user experience in San Francisco. "In a way, AJAX applications move business logic from server to client, so business logic is exposed," says Jessejamesgarrett, director of the user experience strategy. Depending on the application, this approach increases the potential security risk. ”
Garrett said: "The next issue is data security." Ajax applications can rely on the web's underlying encryption layer to encrypt XML documents that are data communications. ”
Garrett said: "In addition, Ajax has a problem." What we do is reduce the user interaction in the server communication. Now, server communication is completely invisible to the user, so you can send the data in the user's opinion. This is a big risk. ”
Dionalmaer is one of the founders of the Ajax community Ajaxian.com, who believes that nothing in Ajax is unsafe, but there are still some problems.
"Developers have to figure out what they're doing," he said. You can develop a very rich Ajax application that requires sending data from the browser to the client. You need to make access to the server secure, just as you would when using desktop technology. For example, you don't want your AJAX application to be able to send any SQL Server to the backend and run it. Hackers can take advantage of it and manually send unwanted requests. Also, do not perform eval () on anything, and be wary of XSS probes. ”
"The bottom line is to keep your server side as secure as possible," Almaer said. It's good for you. ”
Garrett responded: "The most important thing to develop and deploy any application is good planning." Developing Ajax has a certain amount of complexity, which allows the development team to think more about making choices. ”