Introduction to Ajax

15. Ajax and Security

Since using Ajax implies that we are accessing information from the server we have exactly the sale security concerns with Ajax as we wpuld have with any normal server side processing.

Any fields that can be input by a visitor to the page need to be validated preferably both by the Javascript before sending the request and then again by the server side processing before responding to the request. This applies in particular to fields where your visitor can enter what they want but should also be applied (at least on the server end) for selection lists and radio buttons where the range of responses is limited on the form.

Do not make the mistake of thinking that becaue your Ajax application needs the Javascript to pass the request to the server in the first place that you can just validate everything in the Javascript before sending it and let the server side code assume that it has already been validated. Sure the cross domain restrictions stop someone from using a copy of your page with a modified version of the Javascript to do the server side call but there is nothing says that they need to use Ajax at all in attacking the server side processing from your site. Without appropriate validations done within the server side code all that anyone needs to do to bypass all of your Javascript security is to set up their own page that calls the server side processing without using Ajax. The validations that you build into your Javascript will even tell them where the possible vulnerabilities in the server processing are to make it even easier for them to bypass your Javascript security.

Without the appropriate tests in your server side code to block injection attacks etc. all of the data that is available for retrieval by authorised persons via the Ajax call may also be available in bulk to anyone who knows a few simple tricks in how to modify database calls from the form fields passed to them.

If you are wondering if your code is vulnerable to a software injection attack, just try inputting the following into any of your input fields and see what effect it has:

Note that this is only one of the most basic codes used for software injection attacks and securing from this particular attack doesn't means that there are not other vulnerabilities in your code.