It seems some folks at TheServerSide.com
have started bashing AJAX because they see it as a threat to Java. This
has led to fairly ridiculous posts such as this one entitled
But most of all samy is my hero which states
The story is, a myspace user named samy wanted to be popular. He wanted to make
his page do things that others couldn’t and in the process devised a cross system
scripting (XSS) attack that managed to add his profile to more then a
million other users of the system. To do this he used a combination of AJAX and
JavaScript.
It is not the intention to make samy even more famous but he
has exposed a serious weakness in the AJAX security model. All samy did was
figure out how to upload some JavaScript into his profile and this was despite
myspace’s best efforts to limit this type of activity.
With respect to
security, the web is already a hostile environment. Will a move to use AJAX and
JavaScript further enlarge the security holes that already exist? Could myspace
have done more to prevent this type of attack and still afford their users the
flexibility to manage their pages as they do now?
Even though I haven't looked at the code of the exploit, I think it
is fair to say that this issue has little to do with "the AJAX security
model" as implied by the author of the post. Any system that accept
user input has to worry about how they scrub the data due to malicious
users. Not properly scrubbing input data leads to all sorts of security
problems including buffer overflows and cross site scripting attacks.
I'd suggest that some of the folks on TheServerSide need to read up
on some of the FAQs on cross site scripting attacks before blaming AJAX
for problems that have nothing to do with it.