ajax - security concerns

increased complexity

  • need to understand several technologies.
  • backend developers unfamiliar with client side coding and vice versa.
  • difficult to address security in this complex technological mix.

increased attack area

client code more vulnerable

  • client code can be viewed.
  • client code can be easily modified by an attacker using injection.
  • developers need to understand javascript and dom.

validation

  • typical ajax implementation have significantly more client side validation.
  • client code make calls to server business service layer.
  • easy to by-pass client side validation.

denial of service

  • many small requests between client and server.
  • heavy loads will exponentially increase number of requests to the server.

mashing

  • aggregate content from multiple domains.
  • can use json.

how to secure ajax sites ?

validation

  • validate all inputs.
  • all client side validation must be backed up by server side validation.
  • don't implement business logic validation client side.
  • encode all outputs.

use secure libraries

  • use tried and tested components such as microsoft atlas.

integrate security in sdlc

  • data classification.
  • functional boundaries.

design

  • threat modeling.
  • session management.
  • exception handling.
  • auditing and logging.