Web Directions North » Blog Archive » Ajax Security by Douglas Crockford

Ajax Security by Douglas Crockford

• The browser is not a safe programming environment.
• An attacker can load additional, external scripts and make requests of your server.
• An attacker can see everything your users see.
• They can send that information to any server in the world.
• These are not new problems.
• How you encode data can prevent a lot of common/simple issues i.e. convert < to &lt;.
• JavaScript’s global object is the root of all XSS (cross site scripting) attacks.
• The DOM is another source. All nodes are linked to all other nodes on the page and to the network.
• If code is clean and readable, it is less likely to contain insecurities.
• JSLint.com is a tool to define a professional subset of JavaScript that will help identify insecurities.
• Web 2.0:
  • Mashups are a great innovation, but are insecure.
  • Advertising is a mashup.
• Competition to displace the traditional web:
  • Silverlight
  • Adobe AIR
  • JavaFX
• 3-prong strategy to fix the web:
  • Safe JavaScript subsets: by using JSLint and ADsafe.
  • Small browser improvements: event simple improvements can take a long time to distribute.
  • Massive browser improvements.
• We need to replace JavaScript and the DOM with something more secure e.g. a secure subset of JavaScript.
• Be rigorous in your coding practices to help your security measures.

Posted by Jeff on 31/01/08 at 12:45 pm