AJAX and dynamic HTML in general is such a new technology that most people really don’t get it’s true security implications. It’s nice to see a few articles being written that address the web application security issues found with the various types of dynamic code out there. Today I ran across an article on Help Net Security talking about the “Top 10 Ajax Security Holes and driving factors”. Pretty impressive sounding, but the title is kinda misleading.
Of the actual holes there are only three mentioned, Phishing, XSS and CSRF. He actually misses one of the other major holes like the one Jeremiah found in Google for instance where you can steal any data inside JSON if you visit a malicious web-page (yes, you heard me right, don’t put sensitive information in JSON). But even still, what he does discuss, even if it’s not 10 holes, is 10 ways to create those three holes. Some of them are going to be fairly obvious or impossible to create without some other hole and others are a tad more creative, but still, it’s nice seeing people think about this.
However, I’d like to point out, as I have before that really users should not consider AJAX to be another security risk. It is the same old risk that we have always faced, except there is more client side code that can be circumvented now. The more logic you create on the browser for parsing and security the more you must insure that your backend also protects you at the same time, since all client side security can be circumvented in one way or another.
I’ve said it a number of times but this is tantamount to muddying the security waters. Instead of knowing your single choke point for security issues you now have two or more places that require security thought. Not that that makes you less secure, it simply increases the attack surface area. Anyway, it’s kind of an interesting read.