AJAX Poses Security Risk

By | February 13, 2006

Asynchronous JavaScript and XML, the method used by web application developers to allow the client communicate with the server without interrupting user from their activities, exposes applications to new security vulnerabilities, according to Forum Systems security advisory.

AJAX is being used by web sites run by Google, Yahoo! and others. By enabling the creation of interactive and highly responsive web pages that interoperable with web services, AJAX increases the amount of XML traffic being transmitted. The use of XML as the content type for requests and response means that applications will be exposed to new security vulnerabilities and application performance degradation.

Application developers looking for standards based presentations with simplified data manipulation, exchange and interaction will likely choose XML as the payload format between client and server. This option also makes the application immediately interoperable with Web services and Service-Oriented Architectures (SOA’s).

“Ajax overcomes a well-known limitation in traditional Web interfaces, where a user must wait to reload the page anytime they call up new data,” said Walid Negm, vice president of marketing for Forum Systems. “While Ajax affirms the viability of the Web as a standalone software development platform, it also brings with it performance and security considerations that both developers and companies implementing Ajax need to be aware of and prepared to handle.”

The advisory recommends that organizations implement server-side content filtering, Web Services Security and XML Acceleration to ensure scalable and secure Ajax applications.

Leave a Reply