ajax - security concerns
- need to understand several technologies.
- backend developers unfamiliar with client side coding and vice versa.
- difficult to address security in this complex technological mix.
increased attack area
client code more vulnerable
- client code can be viewed.
- client code can be easily modified by an attacker using injection.
- typical ajax implementation have significantly more client side validation.
- client code make calls to server business service layer.
- easy to by-pass client side validation.
denial of service
- many small requests between client and server.
- heavy loads will exponentially increase number of requests to the server.
- aggregate content from multiple domains.
- can use json.
how to secure ajax sites ?
- validate all inputs.
- all client side validation must be backed up by server side validation.
- don't implement business logic validation client side.
- encode all outputs.
use secure libraries
- use tried and tested components such as microsoft atlas.
integrate security in sdlc
- data classification.
- functional boundaries.
- threat modeling.
- session management.
- exception handling.
- auditing and logging.