It seems some folks at have started bashing AJAX because they see it as a threat to Java. This has led to fairly ridiculous posts such as this one entitled But most of all samy is my hero which states

The story is, a myspace user named samy wanted to be popular. He wanted to make his page do things that others couldn’t and in the process devised a cross system scripting (XSS) attack that managed to add his profile to more then a million other users of the system. To do this he used a combination of AJAX and JavaScript.

It is not the intention to make samy even more famous but he has exposed a serious weakness in the AJAX security model. All samy did was figure out how to upload some JavaScript into his profile and this was despite myspace’s best efforts to limit this type of activity.

With respect to security, the web is already a hostile environment. Will a move to use AJAX and JavaScript further enlarge the security holes that already exist? Could myspace have done more to prevent this type of attack and still afford their users the flexibility to manage their pages as they do now?

Even though I haven't looked at the code of the exploit, I think it is fair to say that this issue has little to do with "the AJAX security model" as implied by the author of the post. Any system that accept user input has to worry about how they scrub the data due to malicious users. Not properly scrubbing input data leads to all sorts of security problems including buffer overflows and cross site scripting attacks.

I'd suggest that some of the folks on TheServerSide need to read up on some of the FAQs on cross site scripting attacks before blaming AJAX for problems that have nothing to do with it.


Categories: Web Development
Tracked by:
"mediale affari" (mediale affari) [Trackback]
"midi colonna sonore" (midi colonna sonore) [Trackback]
"jhonny depp" (jhonny depp) [Trackback]
"albergo bournemouth" (albergo bournemouth) [Trackback]
"Steve Brock Ministries" (Steve Brock Ministries) [Trackback]
"londra big ben" (londra big ben) [Trackback]
"calendario 2003" (calendario 2003) [Trackback]
"memory card" (memory card) [Trackback]
"new york four seasons hotel" (new york four seasons hotel) [Trackback]
"MUSIC - Bethlehem Morning" (MUSIC - Bethlehem Morning) [Trackback]
"immagini disney" (immagini disney) [Trackback]
"gioco scaricare gratis pc" (gioco scaricare gratis pc) [Trackback]
"bionde masturbandosi" (bionde masturbandosi) [Trackback]
"giochi carta regolamento" (giochi carta regolamento) [Trackback]
"MUSIC - Gloria" (MUSIC - Gloria) [Trackback]
"amministratore condominiale" (amministratore condominiale) [Trackback]
"vacanza ad ischia" (vacanza ad ischia) [Trackback]
"freddissimo gradito papa" (freddissimo gradito papa) [Trackback]
"l attimo fuggente" (l attimo fuggente) [Trackback]
"val d aosta" (val d aosta) [Trackback]
"gioco adulto gratis" (gioco adulto gratis) [Trackback]
"Steve Brock Ministries" (Steve Brock Ministries) [Trackback]
"Steve Brock Ministries" (Steve Brock Ministries) [Trackback]
"Steve Brock Ministries" (Steve Brock Ministries) [Trackback]
"MUSIC - Mary Did You Know/What Child Is This?" (MUSIC - Mary Did You Know/What ... [Trackback]
"HOME" (HOME) [Trackback]
"MUSIC" (MUSIC) [Trackback]
"PHOTOS" (PHOTOS) [Trackback]
"perline gioiello" (perline gioiello) [Trackback]
"Steve Brock Ministries" (Steve Brock Ministries) [Trackback]
"scuola superiore" (scuola superiore) [Trackback]
"CONTACT" (CONTACT) [Trackback]
"torte bindi" (torte bindi) [Trackback]
"pulcino fottilo nella residenza" (pulcino fottilo nella residenza) [Trackback]
"albergo firenze hotel" (albergo firenze hotel) [Trackback]
"medio apparecchio" (medio apparecchio) [Trackback]