On the security of Ajax and the hidden dangers of Ajax (1)

Ajax| Security | security | Vulnerabilities Web developers will not notice the passion created by AJAX (asynchronous JavaScript and XML). It is largely thanks to the ability to create smart Web sites like Google suggest or web-based applications like Gmail. However, along with the development of AJAX applications, we found some of its shortcomings, we found that its security vulnerabilities are gradually becoming larger, like slowly put the Ajax-based site into a time bomb.

　　 the benefits of Ajax

In the good times of "web apps" of the year, things were simple. You fill out a form, click the "Submit" button, and the current screen disappears, and after a little while you go to the next page. Today's situation is no longer the case, and what users need is a Web experience that is as fluent, fast, and user-friendly as any desktop application.

Ajax is often collaborated with DHTML (Dynamic HTML), and its smooth execution requires that JavaScript code in Web pages and Web servers be seamlessly communicated in the background. For example, when you start typing in the Google Suggest search box, the Web page starts exchanging data with the server in the background, and then gives you some of the entries you might need. All of this does not require a page refresh or press any button. And that's why apps like Gmail do so well for real-time spell checking.

　 How Ajax works

The complexity of Ajax is beyond the scope of today's elaboration, and is simply described here. The JavaScript code on your page can get in touch with your Web server without relying on the user. The central function of this is the JavaScript XMLHttpRequest object, which can be triggered in the background or asynchronously as a user clicks on a keyboard or clock event (that is, the term asynchronous JavaScript and XML).

If you enter "Ajax" in Google suggest, you will get the same server request as I typed in:

1. Www.google.com/complete/search?hl=en&js=true&qu=aj
2. Www.google.com/complete/search?hl=en&js=true&qu=aja
3. Www.google.com/complete/search?hl=en&js=true&qu=ajax

There is one point in the XML part of the term that can cause misunderstanding, but it doesn't make any sense in this part. It's a name from a JavaScript object, and many Ajax-style applications use XML, an object that can send a request to the server for any transaction. Even the JavaScript code itself can be retrieved and evaluated. Continuing to complete my input "ajax example" will generate the following response from Google's server:

Sendrpcdone (FrameElement, "Ajax example", new Array ("Ajax example", "Ajax Examples"), new Array ("153,000 results", "177,0 Results "), New Array (" "));

This will give you some hints about powerful Ajax, and it has the ability to add new JavaScript code to the browser in the runtime (on the fly). However, the optimized approach seems to constrain the XML protocol. For example, Google produces the following:

Ajax example
153,000
Ajax examples
177,000

Obviously, you can interpret the XML data in a suitable form, but thanks to JavaScript, it does manage XML objects very well under some very typical constraints and a lot of annoying IE bug environments.

To help you understand some of the Ajax problems, I'm here to introduce you to a hypothetical travel company-"time-Advanced travel company". Driven by Ajax bugs, their main web developer, Max Uptime, decided to mix Ajax in order to create an application that he was at the forefront of the times.

Problems with Ajax

More than half of the Ajax security risks come from vulnerabilities hidden in the server. Obviously, a good design with secure coding technology can be a great help for more secure Ajax, and we need to thank Max for being familiar with the open Web Application Security Program-------------application OWASP) List of the top ten most serious Web application vulnerabilities (www.owasp.org). Unfortunately, when Max realizes Ajax, he still has to face a number of additional factors:

1. New technology: If Max wants to connect his site to an SQL database, he has found millions of examples in Google. Ajax technology, no matter how young the technology is, still appears relatively early in the procurement cycle, although only a few good examples appear on the network. In order to solve some difficult and unnecessary complex problems, this requires developers like Max to develop themselves. Max also had to write the server-side and client code to create his own less-certain protocol (especially for the server response). No matter how good these agreements are, they will appear on the page in time.

2. Non-traditional Design: Ajax is a little different from the traditional design approach, as such applications are half-client and half-service-side. In Max's case, he is the only developer, so he can encode both the server and the client. Developing in two different languages at the same time, especially at an early stage, will produce some initial coding errors because he is going to jump back and forth at both ends, which is good for one end, but may not work at the other end. Even if Max has a large development team, the security coding responsibility may be problematic when the code is transferred between the server and the client development team.

3. Too many scripting languages: Max has decided to build the world's best travel registration tool with his own ingenuity. You start by typing in your current location (by postal code, phone number, or GPS, etc.), and an AJAX request is sent immediately to determine your exact location. From then on, the screen will be filled with all the ways you can travel, even before you decide where you want to go, when you plan to start and who you intend to go with. The cells and controls on this screen are full of Ajax-driven, and server-side and client script may require more than 20 different server calls. You can imagine a very small individual server program, such as Findairportsbylocation.aspx or determinemaxbaggageallowancebyairline.php.
　　
Obviously, without Max's careful planning (such as creating versatile "overloaded" JavaScript functions and server scripts), he would need to create more than 40 separate parts per design. More programming means more bugs and bugs, which means more time to write, manage, test, and update code. Not only that, because a lot of this script is applied to the client's JavaScript code, and they tend to become forgetful in formal program testing.

4. Determine that small portions of Ajax do not cause harm: This site is a planned trip site, but Max is thinking that it will immediately provide you with a satellite view of the exact location and provide you with the weather conditions you want to reach your destination. One of the biggest temptations of Ajax seems to be that until the last minute it's still doing other things, just like a commentator was there to explain, Ajax used for Ajax. When Max starts experimenting with his new ideas, he will gradually try to add more new features, completely ignoring the need for testing.