Saturday, December 02, 2006

no inherent insecurity with AJAX

Jeremiah Grossman (CTO of WhiteHat Security) has a great article regarding a topic that erroneously arises from time to time : inherent security risks of AJAX applications versus traditional client-server web applications. This article words and explains the point very well. That point is basically that the security best-practices for both paradigms of web development are the same, and that AJAX presents no additional inherent insecurity.

The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true ... Word on the cyber-street is that AJAX is the harbinger of larger attack surfaces, increased complexity, fake requests, denial of service, deadly cross-site scripting (XSS) , reliance on client-side security, and more. In reality, these issues existed well before AJAX. And, the recommended security best practices remain unchanged.'

No comments: