|
NEW THREATS, SAME AS THE OLD THREATS
In Writing Secure Code, authors Michael Howard and David LeBlanc identify two principles of secure applications: "All input is evil until proven otherwise," and "Data must be validated as it crosses the boundary between untrusted and trusted environments."
In the context of a Web application, this means any data passed from a client's browser to a server must be validated before use in any context. There are three general uses for user-supplied data: it's stored in a database through a SQL query; it's used as a value in a calculation; or it's rendered as output back to the user.
Users, meanwhile, can submit data to a server in two ways: URI-encoded values--either in the querystring or as the entity body of an HTTP POST--or HTTP headers, either through a cook...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
ie or other HTTP header.
Nothing about Ajax changes these in any way. Ajax applications do not use user-supplied data in fundamentally new ways; they may render the output back as an HTML snippet instead of a full-formed HTML page, and they may perform calculations on the data on the client instead of on the server, but they are still either storing the data, performing a calculation using it, or rendering it.
Likewise, the XMLHttpRequest object that is the backbone of asynchronous processing is still just a mechanism for sending HTTP requests and receiving HTTP responses, which means data is passed to the server in the same ways it always has. "There is nothing new in the field of security; input validation is still the only major concern," says Billy Hoffman, lead researcher at SPI Dynamics.
|
 |
|
