|
|
Eric Pascarello dissects Ajax security vulnerabilities
|
02/07/2006, By Colleen Frye
|
When people look at Ajax they see this XMLHttpRequest object performing magic on a Web page and they think that this can lead to major security flaws. When we do a simple view source on the page, we see the page we are calling, the parameters that are being sent. Anyone with any basic knowledge of JavaScript can easily inject scripts onto the page and change the request object to send other data. So yes, it is open to attack, but it is not anything to be afraid of.
People say this is so horrible that someone can take over this request so easily. But these people need to realize that the XMLHttpRequest is nothing more than a normal form submission. You can picture it as a form being submitted in another frame. Act like there are form tags and hidden text fields on the page. With a view source of any normal HTML form, we can grab the element names and see the parameters being sent to the server. We can look at the action attribute and see where we are submitting the data. So just like how we can see the XMLHttpRequest object, we can see the same thing on any Web page.
Read Full News
|
|
|
|
|
|
|
|
|
|
|
|
|
Special offer for AjaxImpact.com Visitors!!
Subscribe to Oracle Magazine for Free!
