What are you doing for Ajax security?

I've developed quite a few different ajax app now (AjaxPro.NET, Atlas, Scriptaculous) and I suddenly realized that it would be so easy for people to hack into them because I don't see any secuirty was taken care by either myself nor the framework.

The issue is most javascript are not protected via your framework of choice. I've noticed some authors thought their page is protected because they use authentication methods for them, therefore their page is immune, not so. I could easily use tools like Fiddler, get a list of the javascript on the page and download them manually. Once I get to see the source of script file, I got direct access to this methods.

What's worst is that as we do ajax features, not only do we have query method in there, we call insert/update methods as well in the same files. Imagine a hacker tries to imidate an insert call to your back end methods.

I haven't really tried hacking scripts and call them directly, but I will start now and attempt a few ways with my own ajx app. If I can really do it, then I will have no choice but to take them down. This issue haven't occured to me as I was too encapulated into the coolness of ajax, but now, I have to really put some attention into this matter

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS