Forum systems, an XML security vendor, last month warned of security issues, and he believes that as more and more Ajax-style applications emerge, many organizations need to consider potential security flaws and performance issues.
"We are not making a warning," Walid Negm, vice president of Marketing at Forum Systems Company in Salt Lake City, said. We just feel the need to get people thinking about security and scalability requirements. We are always looking at technologies that use XML. This is our business. ”
Ajax is the abbreviation for asynchronous JavaScript and XML. It enhances the user experience by creating rich network applications. According to forum, Ajax increases the amount of network traffic in XML, text, and HTML by using more interactive pages that interoperate with Web services. But the company believes that the load becomes a weakness for Web services because it relies on XML as a request/corresponding content type. The company also points out that by converting users ' web browsers into Web services portals, AJAX communication models increase the reliability of browser processing.
Forum Company is trying to improve XML content filtering, Web Services security, and XML speed-raising capabilities.
Negm points to a number of potential problems. First, he says, malicious users could send dirty data, especially to create aggressive clients. Another problem is unauthorized user access. In an AJAX application, an authorized user can quickly improve his or her level without server-side protection.
The biggest threat is bad form of data. He said: "Because of the use of asynchronous code." Denial of service can occur easily. One potential result is a server outage, or a denial of service that causes the server to crash. ”
"Ajax has some security problems with Web applications, and unless you install the application firewall on the server side, you can be protected," Negm said. ”
"Although performance is a big problem, you need to consider how data affects performance," he said. Ajax allows you to better validate data, but you have to deal with additional validation requirements, which is also a headache for the server. ”
Asked if it was a bit selfish to give a warning, Negm replied: "There is a problem, but there is a greater risk of not presenting it." We are satisfied with our safety record. The details behind the warning are necessary to be explored. It's not a rush, but we're getting developers to study this. ”
Jason Bloomberg, senior analyst at Zapthink Company in Waltham, Massachusetts, said: "The security problems that Ajax poses are a simple Web page that you can't face, and it's really important to know that." Forum has begun to pay attention to the threat, so it is natural to issue a warning. ”
Adaptive path is a consulting firm with a user experience in San Francisco. "In a way, AJAX applications move business logic from server to client, so business logic is exposed," says Jesse James Garrett, head of the user experience strategy. Depending on the application, this approach increases the potential security risk. ”
Garrett said: "The next issue is data security." Ajax applications can rely on the web's underlying encryption layer to encrypt XML documents that are data communications. ”
Garrett said: "In addition, Ajax has a problem." What we do is reduce the user interaction in the server communication. Now, server communication is completely invisible to the user, so you can send the data in the user's opinion. This is a big risk. ”
Dion Almaer is one of the founders of the Ajax community Ajaxian.com, who believes that nothing in Ajax is unsafe, but there are still some problems.
"Developers have to figure out what they're doing," he said. You can develop a very rich Ajax application that requires sending data from the browser to the client. You need to make access to the server secure, just as you would when using desktop technology. For example, you don't want your AJAX application to be able to send any SQL Server to the backend and run it. Hackers can take advantage of it and manually send unwanted requests. Also, do not perform eval () on anything, and be wary of XSS probes. ”
"The bottom line is to keep your server side as secure as possible," Almaer said. It's good for you. ”
Garrett responded: "The most important thing to develop and deploy any application is good planning." Developing Ajax has a certain amount of complexity, which allows the development team to think more about making choices. ”