AJAX Security: Here We Go Again

Saw this article about AJAX security on Slashdot today.  There is some interesting info in there, but the author seems to be too focused on security through obscurity and other dead-end tactics.  True it is harder to spoof POST requests than it is to spoof GET requests, but either type of request CAN be spoofed, so you have to take that into account on the server side.  Checking the “Referrer” header adds essentially NO security to an application because anything in the request is just bits coming across the wire.  “Referrer” headers, cookies and any HTTP parameters (GET or POST) can be faked, so the server applications themselves need to be designed around this.  Security starts – and ends – on the server side when it comes to ANY web application.  This goes for standard web applications, AJAX applications and web services.

I will be presenting to the OWASP San Antonio chapter about AJAX security on April 19th, 2006.  More information can be found here, or feel free to drop me an email.  This should be a fun and informative presentation and Denim Group will be releasing an open source tool called “sprajax” that will help with assessment and auditing of AJAX applications.

dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *