AJAX Security
Last month at the Bloomington, IL .NET User Group, Dave Bost presented on AJAX. One of the questions from the audience was, "How does AJAX .net security compare with other AJAX frameworks and is AJAX secure."
Good question. I think the answer lies in the fact that JavaScript is NOT "secure by default". As a heavy-JavaScript developer, regardless of the use of an AJAX framework, you must be aware of security. More often then not, JavaScript can be side-stepped within applications to get around "security". Therefore, you shouldn't rely on JavaScript for security. ASP.NET can assist you in preventing cross-site scripting attacks with built-in features and a library. However, JavaScript developers should take extra precautions that application security is implemented on the server.
Now, how does AJAX fit into this picture? Well, AJAX lowers the bar for integrating powerful JavaScript functionality and allows the junior or part-time programmer to integrate some powerful JavaScript functionality into their applications. The result of this is an increased attack surface and a programmer who is not fully aware of the security flaws that can be exposed by JavaScript.
For an introduction to AJAX security, I would recommend this article and the following webcasts by Joe Stagner (I'm a discerning webcast consumer--but these are really good--you can see some JavaScript attacks in action):
Live From Redmond: AJAX Security Basics- The Building Blocks to Protecting Your Applications Built with ASP.NET AJAX
Live From Redmond: How Hackers Reverse Engineer and Exploit an ASP.NET AJAX Application
Live From Redmond: The Brave New World of AJAX Hacking (and prevention using ASP.NET)
Live From Redmond: The Next Generation of AJAX Attacks – A New Generation of Attack Theories
Live From Redmond: Best Practices: A Look at Developer ASP.NET AJAX Security Mistakes
