What is Digg?Sponsored by American Express
A Gift That Could Only Come from You view!
americanexpress.com - Give a Gift Card with your photo on it so they know who to thank.
38 Comments
- Miche1987, on 10/10/2007, -3/+76Dugg for "Ajax-ulation".
- radicaldementia, on 10/10/2007, -0/+15This really just fits in line with the concept that you should *never* rely on client-side validation. Any kind of verification or input validation should always be done on the server side, where people can't (easily) insert their own code or bypass existing code. Javascript and Ajax are meant for creating a dynamic UI, not for security.
- darkfate, on 10/10/2007, -2/+13Bah, there are plenty of ways to prevent Premature Ajax-ulation. Although only abstinence from writing AJAX will give you 100% certainty.
- Otto, on 10/10/2007, -0/+7I just ajaxulated all over your website.
- ProtonageNet, on 10/10/2007, -0/+6check out ajaxulation in action http://milw0rm.com/video/watch.php?id=71
a video exploit demo of a meebo.com worm, pretty scary stuff if you can follow it. - TenebrousX, on 10/10/2007, -0/+5Client-side validation is useful for alerting the user if their passwords don't match or their email is invalid, for example, so that they don't have to wait for a server request and response. Of course, the real validation should be done at the server.
- bwiney, on 10/10/2007, -1/+5I always make sure to do both server side and client side data validation, and even then i fear that there is a vulerability hiding somewhere, but i could just be paranoid.
- greenmile, on 10/10/2007, -1/+4Obfuscate your javascript and always do server-side validation
- potskie, on 10/10/2007, -0/+3LOL
- heebygeeby, on 10/10/2007, -0/+3Isn't it pretty widely known that you should always use server-side validation? wtf, people?
- LowRentDiggs, on 10/10/2007, -0/+3yeah, client-side validation is for convenience only. It can get annoying on a less than adequate connection to have to keep reloading a page over and over to see that a username is not available.
- Ryosen, on 10/10/2007, -0/+2Obfuscated code can easily be disassembled and, in many instances, breaks non-English browsers. Server-side validation, however, is critical.
- InternetCeleb, on 10/10/2007, -1/+3I hope the term 'ajaxulation' catches on for ajax security exploits.
I *really* do! - dontmatta, on 10/10/2007, -1/+3I couldn't agree more. Coders have to be aware that user inputted data through Ajax can easily be manipulated, just like any form.
- ArchieAndrews, on 10/10/2007, -0/+2It is the title of the article. Your gripe is with arstechnica, not digg.
- tracker1, on 10/10/2007, -0/+2To be honest, this is somewhat insightful... however, why not validate on both, being able to provide for nearly-instant feedback client-side, as well as security checks server-side. Also, you can give an error message via AJAX as well as any other response... It just comes down to not relying on the client-side... Yes, JS isn't meant for security, but input validation client-side + server-side can make for a better UX.
- marcz, on 10/10/2007, -0/+1Freakin awesome title.
- tybris, on 10/10/2007, -0/+1What does AJAX have to do with this? You should ALWAYS consider security risks when implementing a web application...
- marcz, on 10/10/2007, -0/+1Yes, poor implementation of a technique.
- fpcyber, on 10/10/2007, -2/+3I agree 100%, a lot of sites make their services safe through php, jsp, asp.... but forget the javascript and script that make the Ajax work can be vulnerable too.
- schneidafunk, on 10/10/2007, -0/+1For all the fellow programmers out there, this exploit really does not have much to do with ajax, but more about sloppy programming. Old news... don't trust the client side. Parse your input before it goes into a database! Do error checking on the server!
- grumpyrain, on 10/10/2007, -0/+1Well as the name suggests, AJAX uses Javascript to talk to the server. So client side rules can be implemented just as easily on an AJAX website as a simple html+javascript website. The main difference is that AJAX provides a framework where it is trivial to pass the parameters to the server to perform asynchronous validation there. So contrary to the article, I believe AJAX empowers developers to create server side validation much easier than simple html. That is what I meant by 'easier', not 'easier than client side', because it is equally easy as client side, but much easier to do server side.
The client is also an untrusted entity. You can presume absolutely nothing about the data being passed from the client, even with Javascript checking. It is web development 101. If you are hosting the server in a secure environment, then it (should be unless you do something dumb) impossible to bypass the validation. - greenmile, on 10/10/2007, -0/+1Obviously... but at least make it difficult for them.
- cmburns69, on 10/10/2007, -0/+1If you only have time to put security on one side (client or server), put it on the server. In client-server programming, if you ever have to choose between validation on the client or server, put the validation on the server. Most buffer overflows could be stopped by validating the input received by the server.
- grumpyrain, on 10/10/2007, -0/+1I thought the idea of AJAX was to allow browser-server comms to occur without reloading an entire page? Wouldn't therefore AJAX make it easier to place client side validation code that used to be implemented in javascript back to the server side?
- SLeepdepD, on 10/10/2007, -0/+1Dugg for "Premature Ajax-ulation".
- Ryosen, on 10/10/2007, -0/+1Inversion of Control and Dependency Injection.
Two design patterns very much worth learning and understanding. They form the basis of any good security design. - tedgoddard, on 10/10/2007, -1/+1ICEfaces from http://www.icefaces.org is a server-side Ajax technology and is more secure precisely because of the arguments presented.
- laptopboy, on 10/10/2007, -0/+0I agree 100%
- insanebrain, on 10/10/2007, -2/+2"Security experts warn ..."
yeah ..right - andrewgw, on 10/10/2007, -0/+0Good to know... dugg for the comment from Darkfate!
- iapx, on 10/10/2007, -0/+0It is easier to place client-side validation code.
But Client-side validation code could be blocked, modified or bypassed by the client itself (that the user own and control), so this validation (and rules) must be enforced on the server-side too, where the user could not bypass it (easily). - BGog, on 10/10/2007, -1/+1Ummm you don't actually know what Ajax is do you? To compare Javascript/Ajax with PHP or asp is just wrong. They are for completely different things. Javascript runs in the browser(often used for fancy eyecandy etc) and php/asp are server side implementation technologies. php/asp work toghether with javascript to implement a web page.
Ajax is simply a technique where a piece of javascript running in the browser make an asynchronous request to the server and then (often) replaces one or more portions of the DOM tree without reloading the entire page. This is what allow for many web2.0ish features we have become used to. The digg button for example. Also when the new Digg comment system uses ajax techniques to give you a reply box inline without reloading the WHOLE page with all the comments.
As for the article, they are correct that you need to be just as careful when using ajax as when doing any other part of your implementation. But it is NOT a php vs javascript thing because they one cannot replace the other. - InternetCeleb, on 10/10/2007, -1/+0Server-side validation is absolutely essential.
Client-side validation is only good for the user's convenience. It should never be relied upon by the app itself. - champ20, on 10/10/2007, -1/+0lol exactly...some of these stories are just pointless
- juggrnaut, on 10/10/2007, -6/+2interesting article, thanks
- potskie, on 10/10/2007, -5/+1LOL
- vap0r, on 10/10/2007, -7/+1I see what you did there! ...clever
© Digg Inc. 2009
— Content created and posted by Digg users is