Ajax functionality can be “sprinkled” onto an application simply and without security implications
Ajax applications may seem simple from a user’s perspective, but under the covers
they are fairly complex beasts. They rely on multiple client-side technologies, such as
HTML, XML, and JavaScript, all working in harmony. They may also rely on the clientside
technologies working in harmony with various server-side technologies, such as
Microsoft .NET, Java EE, PHP, or Perl.Most organizations want their Ajax applications
to be just as available as their other Web applications.Many organizations have requirements
that any user should be able to access the company’s implementation of Ajax
applications, whether they are using Microsoft Windows,MacOS, or Linux, and regardless
of whether they are using Internet Explorer, Safari, Firefox, or any other browser. All
of these dependencies tend to cause code complexity, and code complexity tends to cause
security defects.
MULTIPLE LANGUAGES AND ARCHITECTURES
Except for the rare application that uses JavaScript on the server side, most Ajax
applications are implemented in at least two different programming languages. To
implement the client-side portion of the application logic, JavaScript is, by far, the preferred
choice, although VBScript and others are also possible. (Would Ajax using
VBScript be called Avax?) On the server, there are dozens, if not hundreds, of choices
Java, C#, and PHP are currently the three most widely implemented languages, but Perl,
Python, and Ruby (especially Ruby on Rails) are quickly gaining in popularity. In addition
to logical languages for client and server-side processing,Web applications contain
other technologies and languages such as presentational languages, data languages,
transformation languages, and query languages. A typical application might use HTML
and Cascading Style Sheets (CSS) for presenting data; JavaScript for trapping user events
and making HTTP requests; XML for structuring this data; SOAP for transporting the
data; XSLT for manipulating the data; PHP to process the requests on the server side;
and SQL or LDAP for running database queries. This is a total of eight different technologies,
each of which has its own nuances, intricacies, standards, protocols, and security
configurations that all have to work together.
You might ask why having a number of diverse technologies is necessarily a bad thing.
Any high school shop teacher will tell you that it’s important to always use the right tool
for the right job. JavaScript may be the right tool for the client code and PHP may be the
right tool for the server code. However, getting tools to work well together can be challenging.
The subtle differences in conventions between languages can lead to code
defects, which can lead to security vulnerabilities. Because a developer is dealing with so
many different languages, it is easy to forget how features differ from language to language.
In most cases, it would be a rare find, indeed, to locate a developer skilled in the
nuances of two or three of the languages mentioned above, let alone all of them.Many
times, a developer can make a programming mistake that is syntactically correct for a
language, but results in a security defect.
ARRAY INDEXING
One specific case of this is array indexing.Many languages, like JavaScript, C#, and Java,
use 0-based array indexing.With 0-based indexing, the first element of an array is
accessed as item 0.
return productArray[0]; // return the first element
Other languages, like ColdFusion and Visual Basic, use 1-based array indexing.1
With 1-based indexing, the first element of an array is accessed as item 1.
'Select the first element
SelectProduct = productArray(1)
Unless this discrepancy is accounted for, unexpected issues can arise.
The Ned’s Networking Catalog is a Web application written in ColdFusion for the
server side and JavaScript for the client side. Figure 5-1 shows the three different types of
devices that are in stock. These items are stored in a JavaScript array on the client. In the
array, the hub is stored at index 0, the bridge is stored at index 1, and the router at index
2. However, on the server, a ColdFusion array holding product information would treat
the hub as index 1, the bridge as index 2, and the router as index 3. If the JavaScript
client uses Ajax to communicate a selected product index to the server, the server may
process the order incorrectly due to the index mismatch. An unsuspecting customer
could order a router, but receive a bridge. Alternatively, if the back end billing system
uses 1-based indexing and the inventory system uses 0-based indexing, it could be possible
for a customer to order and receive a hub, but get charged for a bridge!
Another effect of this mismatch in array indexes is that selecting items on the ends of the
array (either the very first or very last element, depending on the mismatch direction)
may cause an index out-of-bounds failure on the server. In the example illustrated in
if the user tried to order the hub at index 0 in the client-side array, the server
would throw an error because there is no corresponding item 0 in the server-side array.
they are fairly complex beasts. They rely on multiple client-side technologies, such as
HTML, XML, and JavaScript, all working in harmony. They may also rely on the clientside
technologies working in harmony with various server-side technologies, such as
Microsoft .NET, Java EE, PHP, or Perl.Most organizations want their Ajax applications
to be just as available as their other Web applications.Many organizations have requirements
that any user should be able to access the company’s implementation of Ajax
applications, whether they are using Microsoft Windows,MacOS, or Linux, and regardless
of whether they are using Internet Explorer, Safari, Firefox, or any other browser. All
of these dependencies tend to cause code complexity, and code complexity tends to cause
security defects.
MULTIPLE LANGUAGES AND ARCHITECTURES
Except for the rare application that uses JavaScript on the server side, most Ajax
applications are implemented in at least two different programming languages. To
implement the client-side portion of the application logic, JavaScript is, by far, the preferred
choice, although VBScript and others are also possible. (Would Ajax using
VBScript be called Avax?) On the server, there are dozens, if not hundreds, of choices
Java, C#, and PHP are currently the three most widely implemented languages, but Perl,
Python, and Ruby (especially Ruby on Rails) are quickly gaining in popularity. In addition
to logical languages for client and server-side processing,Web applications contain
other technologies and languages such as presentational languages, data languages,
transformation languages, and query languages. A typical application might use HTML
and Cascading Style Sheets (CSS) for presenting data; JavaScript for trapping user events
and making HTTP requests; XML for structuring this data; SOAP for transporting the
data; XSLT for manipulating the data; PHP to process the requests on the server side;
and SQL or LDAP for running database queries. This is a total of eight different technologies,
each of which has its own nuances, intricacies, standards, protocols, and security
configurations that all have to work together.
You might ask why having a number of diverse technologies is necessarily a bad thing.
Any high school shop teacher will tell you that it’s important to always use the right tool
for the right job. JavaScript may be the right tool for the client code and PHP may be the
right tool for the server code. However, getting tools to work well together can be challenging.
The subtle differences in conventions between languages can lead to code
defects, which can lead to security vulnerabilities. Because a developer is dealing with so
many different languages, it is easy to forget how features differ from language to language.
In most cases, it would be a rare find, indeed, to locate a developer skilled in the
nuances of two or three of the languages mentioned above, let alone all of them.Many
times, a developer can make a programming mistake that is syntactically correct for a
language, but results in a security defect.
ARRAY INDEXING
One specific case of this is array indexing.Many languages, like JavaScript, C#, and Java,
use 0-based array indexing.With 0-based indexing, the first element of an array is
accessed as item 0.
return productArray[0]; // return the first element
Other languages, like ColdFusion and Visual Basic, use 1-based array indexing.1
With 1-based indexing, the first element of an array is accessed as item 1.
'Select the first element
SelectProduct = productArray(1)
Unless this discrepancy is accounted for, unexpected issues can arise.
The Ned’s Networking Catalog is a Web application written in ColdFusion for the
server side and JavaScript for the client side. Figure 5-1 shows the three different types of
devices that are in stock. These items are stored in a JavaScript array on the client. In the
array, the hub is stored at index 0, the bridge is stored at index 1, and the router at index
2. However, on the server, a ColdFusion array holding product information would treat
the hub as index 1, the bridge as index 2, and the router as index 3. If the JavaScript
client uses Ajax to communicate a selected product index to the server, the server may
process the order incorrectly due to the index mismatch. An unsuspecting customer
could order a router, but receive a bridge. Alternatively, if the back end billing system
uses 1-based indexing and the inventory system uses 0-based indexing, it could be possible
for a customer to order and receive a hub, but get charged for a bridge!
Another effect of this mismatch in array indexes is that selecting items on the ends of the
array (either the very first or very last element, depending on the mismatch direction)
may cause an index out-of-bounds failure on the server. In the example illustrated in
if the user tried to order the hub at index 0 in the client-side array, the server
would throw an error because there is no corresponding item 0 in the server-side array.
Comments (0)
Post a Comment
Cancel