The advent in the last two years of Ajax interfaces with improved interactivity has caused many commercial Web
site owners to rebuild or refit their Web commerce sites. The move to Ajax and so-called Web 2.0 applications should also lead to a fresh consideration of Web application security.
Many problems to watch for are not intrinsic to Ajax, Walker noted. They just happen to have become more vividly prevalent in the Ajax era. As time goes on, and developers try to do more with the Web interface, the need to filter input correctly has gone up. Wherever there is more interaction with people, there is more possibility for them to slip something bad in, he said.
Some steps to take
A first step is to "make sure all your URLs are protected properly," said Walker. "It's an obvious thing to watch out for, but people get it wrong if only because it is pretty tedious to get right."
XSS can be a hard problem, said Walker. You are at risk of an XSS attack if you allow scripts from an untrustworthy party into your Web pages. And writing a good filter to guard against these attacks is difficult.
Completely restricting user ability to enter HTML tags would be a partial solution. However, more rich interaction is a mark of so-called Web 2.0 applications. For example, comments by viewers are often allowed in blogs, and these dialog windows often allow use of HTML tags. Because these can be dangerous, clever filters must be built to handle such input. Among other steps, Walker recommends taking special care over attributes and regular expressions when building XSS filters.
Walker indicated that as Ajax has evolved, it has further stressed the security limits of browsers, but those limits were there already.
"As we have done more with Ajax, we've understood browsers better. And as a result of understanding browsers a lot better, we have discovered things that they don't do particularly well," he said.
All of these security concerns have come "out of the woodwork" in the Ajax environment, Walker said, but they already existed before.
Note: Joe Walker maintains a Web blog that is replete with useful Ajax security information. A good place to start is his tagged "Security" page.