As we have already seen, Ajax is just a new way of playing with existing protocols and technologies like HTTP requests or the browser’s Document Object Model (DOM). The same basic security principle of always filtering input and escaping output applies here as well. A typical Ajax request will take an event (such as clicking on an email’s subject) and then sending a request to the server to load the email’s content. Although this request cannot be modified by the user directly as the browser’s address bar is not changed, it can still be modified by using browser tools such as Firefox’s Tamper Data extension or a tool such as Web Scarab. A developer should not spent too much time with client side validation since any of it can be modified by attackers. This is not to say that client side validation is not needed. It is for a better user experience so the user will instantly know if she or he (accidentally) submits invalid data. However, the developer should be very careful that the server filters the input before accessing the database or email server since client-side validation can be bypassed.
var div = document.createElement('div');
var text = document.createTextNode(text);
The method is to take the input, create a div element in memory, assign the input to the div’s displayed text, and then copy that displayed text back. This forces any HTML into safe equivalents since the div’s inner text property can only store plain text.
This is a better approach since it assumes all data is possibly malicious. It bears repeating that all input should be considered suspicious. Even if the Ajax request is pulling data from the developer’s own server, their is no guarantee that the data has not been tampered with in transit or that a hacker has not injected malicious content in the stored data on the server.
about the author
More about Jeremy Conley:
Jeremy is a student at Western Michigan University where he is dual majoring in Electronic Business Design and Film & Video Studies. When not programming or researching design and security topics, Jeremy enjoys movies and photography and drinking coffee in all the amazing local Kalamazoo coffee shops.
questions or comments?
If you have any questions or comments about this article, feel free to contact us!