What is AJAX?
Why we go for AJAX?
People have many reasons to go for AJAX. In the previous years, people got bored by the synchronous methods and those methods made people wait for the server response. After that, AJAX was introduced to overcome the synchronous calling methods. We need to know about the synchronous and asynchronous calling methods.
"Synchronous call" is like if you are clicking a button and the request has been sent to the server and waiting for the response during which you cannot access any part of the user interface. "Asynchronous call" gives the opportunity to raise another request by accessing other parts of the user interface.
The advantages of AJAX are:
- Better performance than traditional web applications
- Better bandwidth usage
- Easy interaction with DOM objects
- No need for page refresh
- A single screen can handle multiple tasks so there is no need for multiple pages
Loopholes in AJAX
The web is a place for hackers to get sensitive data. So it is better to design a website to avoid chances for hacking. In AJAX, we have some problems with regard to this. They are:
Injection means sending the data or sending the scripts into the main code.
Injection can happen in the following cases and the methods given below:
- PHP toolkits: possibility for code injection
- JSON injection: it is possible to inject a code during decode
- DOM injection - client side attacks are now much easier
- XML injection - both client and server side
- Code injection - both client and server side
Problem with JSON
JSON pair injection
It is possible to inject a malicious script in either URL or Shortcut Key. If it gets injected into the DOM and executes, it falls into the XSS category. This is another way of serializing malicious content to the end-user.
JavaSript Array poisoning
new Array("DesktopPC", "DELL", "Used", "400$", "It is a used one")
This array is passed by an auction site for a used desktop computer. If this array object is not properly sanitized on the server-side, a user can inject a script in the last field. This injection can compromise the browser and can be exploited by an attack agent.
Cross-domain access and Callback
AJAX cannot access cross-domains from the browser. One of the browser security features that exists in all flavors of browsers is the blocking of cross-domain access. There are several Web services that provide a callback mechanism for object serialization. Developers can use this callback mechanism to integrate Web services in the browser itself. The callback function name can be passed back so that as soon as the callback object stream is retrieved by the browser, it gets executed by the specific function name originally passed from the browser.
This callback puts an extra burden on developers to have in-browser validation. If the incoming object stream is not validated by the browser, then developers are putting the end client's fate at the mercy of cross-domain targets. Intentionally or unintentionally, this cross domain service can inject malicious content into the browser. This cross domain call runs in the current DOM context and so makes the current session vulnerable as well. This entire cross-domain mechanism needs to be looked at very closely before implementation into an application.
This article has gone through some of the security threats with AJAX programming. Note that there are some more threats with AJAX. This article does not intend to tell the readers to avoid AJAX programming, but aims to recommend some methods to secure the web.