darknet.org.uk — An article looking in detail at some of the security problems with AJAX, how to find them and how to approach them or fix them. Security with AJAX is of course an important consideration as it's asychronous and a malicious user could write data back to your database if implemented incorrectly.
Apr 5, 2006 View in Crawl 4
onezerozerooneApr 5, 2006
Wha..wha...whaaaaat....don't ever trust the user??? Always validate and scrub input? What is this new idea of which you speak?!
jnorris441Apr 5, 2006
"don't learn to hack, hack to learn"In order to hack to learn, one must learn to hack correct? That's like saying "Don't learn to read, read to learn." I don't think many illiterates will be reading to learn, do you?Or maybe it was just supposed to be a snappy tagline, and I missed the point.
johnnysoftwareApr 5, 2006
Isn't calling eval for the purpose of validating it a lot like shaking a suspicious package to see if there is a bomb in it, or lighting a match to check if the pilot light in the oven has gone out?"The eval function... can compile and execute any JavaScript program, so there can be security issues. The use of eval is indicated when the source is trusted."Calling the JSON.parse(...) method instead of the eval(...) function is what the site you refer to recommends. They say it checks to see that the Javascript contains only JSON.I guess I could interpret what you wrote both ways; the wording is a little ambiguous. Either way though, that JSON.org website you pointed out is very handy - thanks.
gweedo767Apr 5, 2006
--digg means that I am decrementing the digg value prior to anything else occuring. I think this story is so worthless I want to make sure that my -1 occurs prior to any possible output or other arithmetic.Thank you-gweedo767(that is a sign off)
woleverApr 5, 2006
Is it just me, or does a lot of his "security" come through the use of POST data? How is POST data _any_ harder to fake then GET data? Sure, it may make your life a _little_ easer, but there are some neat little tools out there like Tamper Data (tamperdata.mozdev.org/) which give you complete control over everything your browser sends...If you're writing a secure site, security needs to be the first thing you think about. Its not something that can be added on later....Just my 2c...
ascheinbergApr 6, 2006
What post? Give us a link!