Ajax security: How to Prevent Exploits in 5 Steps By Michael Cobb
Google's Gmail recently caught the attention of the Web developer community about the possibilities of Ajax (Asynchronous JavaScript and XML). Ajax is a set of technologies used together to extend browser functionality and allow users and applications to access, share and edit content. While this Web development technique is nothing new, it is viewed as part of Web 2.0, a second generation of Web services, which like all Internet-based services, brings with it its own security concerns. Let's look at how Ajax operates, how it can be exploited, and what you can do to prevent an attack.
How Ajax Works
Ajax applications are mainly executed on a user's machine. They exchange small amounts of data behind the scenes with the server, so the entire Web page does not have to be reloaded. This adds functionality to a page and makes it seem more responsive, like Gmail's real-time spell check, for example. Ajax uses technologies like Cascading Style Sheets (CSS), Document Object Model (DOM) and Dynamic HTML (DHTML), but its main driver is Java Script's XMLHttpRequest object, which can be set to operate behind the scenes asynchronously and triggered by user keystrokes, a timer or other similar events. This means the JavaScript code on a Web page can connect to Web servers independently of the user and pull in cross-domain content.
...
Linear Mode
