Quote:
Originally Posted by mendhak
Easier with AJAX.
Marginally. Those that need that ease aren't the ones who'll attack my application.
Quote:
It is Ajax specific because of the hole it's just opened up. How are hidden inputs even a security solution? :ehh:
What are you talking about? What hole?
The hidden inputs are not a security solution. I explicitely said so. It would be stupid to use them. Just as it would be stupid to write data the user shouldn't be able to see somewhere JS code can access it.
Quote:
And, if you send an ajax request to your server, what's to stop me from sending a request to it?
You need to be logged in at my server for that request to be accepted.
Quote:
If it's a third party web service or page, since it's nothing but an httpwebrequest, I'm now allowed to do anything I want to with the third party page, replace the scripts, whatever. Sure, can be done with other languages, but I need to be on the server itself and add and register my own HTTPHandler.
I have absolutely no idea what you're talking about, and especially how a HTTP request sent by JS differs, in the server's view, from any other HTTP request.
Quote:
Yes, check the referrers, read the headers. How many people know that? 14.
And those 14 are wrong, because you can't trust client-provided data like referrer and headers.
Quote:
Of course, it's entirely possible to add more and more procedures to make this totally secure. More and more patchwork. Eventually blurring the lines. Soon we're at the point of creating convoluted procedures that would befit a true Chit-Chat thread.
I still have no idea what you're talking about.
Quote:
Remember ActiveX? ;) It's got to do with idiocy, totally correct. You may or may not have a rose-tinted monitors, but it's the type of idiocy that a potentially great technology promotes.
ActiveX is a security problem because it allows a browser to start executing native code which cannot be, or perhaps just was not, sandboxed. The second part of the problem was that the browser thought it was a great idea to allow downloading this native code from somewhere and execute it, with only a prompt that most users didn't understand.
That's got absolutely nothing to do with AJAX. Being JavaScript code, it is executed in the browser's sandbox and hopefully has no way of escaping it. (And if it does, that's a security bug in JS, not in the specific usage as AJAX.)
Quote:
I don't understand what you've said here.
Hmm, I misread your original post here. You said:
Quote:
Sql injection attacks possible with poorly written code, but let's that one pass.
The point is, SQL injection attacks are about an HTTP request to the server carrying variables that are maliciously crafted to exploit poorly written database access code. If your AJAX implementation is so separate from the normal HTTP requests that it doesn't even share the DB access code, that's your own fault. If it isn't, the problem is reduced to something that is completely independent of the method used to access it, i.e. nothing to do with AJAX.
Quote:
Refer to the point of promotion of idiocy.
I just don't see where the potential security problem is.
Quote:
An implementation error (who doesn't make errors?) in Ajax is costlier than an implementation error in a codebehind solution.
I believe that this indicates too much business logic on the client side.
Quote:
For instance... You have to validate more.
Not true. I have to validate each bit of data sent to server. I need to do that at least on the server, but it's usually a good idea to do it on the client too. That's true whether the data is sent asynchronously (AJAX) or synchronously (a conventional interface where each change requires a reload).
Quote:
That's a problem I see with multiple entry points. It doesn't take a certified amphibian to see that. More points of entry = more chances of a mistake.
I simply believe that it is possible to write most AJAX stuff without duplicating much server-side logic, thus without increasing the attack surface.
Quote:
Your framework is smart, good for you. Keep working on it. :)
Oh, I will, thanks.
That wasn't my question. My question was about how you'd get the data from the user (who needs to enter it at some point - or else I have again no idea what scenario you're talking about) to the server.
Quote:
With the shifting of the line, a developer is now using two languages to do the same thing (due to a variety of reasons as you must know), he's on client and server code. And so when I deploy the code by sending it over to my incompetent server-deployment team, they punch themselves in the teeth. And we're also allowing others to look at part of our business logic.
You've got a point here. Of course the complexity increases if there are effectively two interfaces, one conventional and one AJAX. Of course it either requires the developer to know two languages or else have the same thing (not quite - AJAX interfaces work differently from non-AJAX and thus use different logic) implemented twice by different developers. Still, it shouldn't be the business logic at the client, ever. The JS code should emulate the UI reaction to the given data and send an async request to the server to do the actual business logic.
Quote:
Why not just do away with the authentication and just request users to play nice?
This, on the other hand, has nothing to do with the previous point and is a logical fallacy.
Quote:
Sure, structure the JS right. Even that can be flawed. Spend more time on QA. Go back and keep fixing it.
I was talking about source organization.
Quote:
And somehow... A simple view source and a clever pair of eyes is all it takes to look at it and figure out yet another way to bypass it.
Don't ever implement sensitive logic on the client. I can certainly agree with you about that part. I just disagree that this means AJAX in general has no place in applications that handle sensitive areas.
Quote:
Application design is about the programmers' thought process. With such increased complexity and poorly separated tiers, the programmer needs to understand and know the acceptability and limits, adhere to them without going overboard.
I disagree about the poorly separated tiers - that's the entire point of application design. Really learning AJAX means to me knowing how it fits into the design of a web app without compromising it, how to make it a well-behaved tool instead of a hype going wild. It is limited knowledge of how to use AJAX that would lead to poorly separated tiers.
Quote:
I understand the potential. Actually, I like to think I understand the potential. I've been working with Ajax for 6 years, and in these 6 years I've seen that for true, secure enterprise level applications, it's a bad, bad, bad choice.
You have definitely more experience than I, then, but I do wonder about the specific cases that you've seen.
Because frankly, although I like to think of myself as a smart guy, I don't see it that way and for the most part don't know what you're talking about. It still seems to me as if you're blaming problems of the server-client model in general on AJAX specifically.
Quote:
There are better and improved browsers coming out soon. They will introduce new solutions and maybe new problems.
Actually, no. Not IE7, not Fox 2 or even 3 contain any new feature that will radically change the approach to building web sites. Sure, JavaScript 1.7 (as supported by Fox2) may lead to more readable JS code. Yes, client-side storage as in the HTML5 draft and implemented by Fox2 may enable having the same AJAX app running multiple times in different windows or tabs (right now this is difficult, because data of the two tends to mingle).
But that won't change the fundamental approach. The web is still about sending a request to a server and getting a response back. AJAX doesn't change that - in only changes when these requests are sent, and what the browser does during that time and with the response.
Actually I see one problem. With the client-side storage interface, the temptation for programmers to transfer more business logic to the client increases. I see that as a danger and a wrong approach to AJAX. And abuse of a feature does not, in my book, justify banning that feature from a whole area.