Wednesday, December 10, 2008

Arguments against using Ajax with Struts Step 41

I am going to show you how to use Ajax with struts. However, there are many people that are afraid to use Ajax because they either think that it has security holes, or that it isn’t safe to use. Recently a person submitted a document to a state agency informing then that they shouldn’t use Ajax and gave a list of his reasons.

Here are the person’s complaints of the risks of using Ajax:

1) The logic of an Ajax Web application is more exposed than that of the standard Web page. It is a simple matter for an advanced user (or an
attacker) to look inside and gain knowledge about the internal workings of the application.

This is not true. Ajax is just javascript. If you have properly implemented your security, then you shouldn’t have to worry about an attacker. Also, most applications use javascript in one form or another and any security issue isn’t because the developer is using Ajax.


2) Data transformation on the client can greatly increase the impact of any code injection vulnerabilities such as SQL injection and XPath injection.

This is an issue using PHP which accesses the database from the PHP page. This would not be an issue with Java because a Java developer shouldn’t be accessing the database directly from the View layer.

3) When the query results are transformed into HTML on the client instead of the server, neither of the SQL injection techniques typically used is necessary. A simple appended SELECT clause is all that is required to extract all the data from the database. This drastically simplifies the ability to perform attacks on AJAX applications and access data.

Again, this would be an issue not with Java, but other languages.

4) This is moving away from the MVC design pattern.

One architect claims that using Ajax is moving away from the MVC design pattern. You might develop an argument for that view if you are a MVC purest, but most applications are not built this way. A MVC purest will say that every action has to be handled by the controller. If the user selects a button, or a link, the controller has to perform the action. Therefore, javascript can’t be used to perform the action. I would disagree with this thinking because there are many instances where an action would not be handled by the controller. Using Ajax still calls the action class and then the action class would still perform the action. I don’t believe that this argument would benefit developing any user friendly application.
Go To Step 42

Posted by Greg at 10:19 AM
Labels: , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)