Securityfocus posted an AJAX Security Basics article yesterday, sometime after I wrote my blog entry. It looks like AJAX will be the new rage!
Here is the most relevant part: “Ajax does not inherently introduce new security vulnerabilities in the realm of web applications. Instead, the applications face the same security issues as classic web applications.” It seems to me that is on target.
There will be some new flaw classifications because the communication between the web application components are different: asynchronous! In addition to the new client/server implementation, the interaction purely between client side components will also be of particular interest. These two communication processes will create a few new exploit flaw types, of which we will only learn about after they occur.
I focused on the DOM in yesterday's blog post. The DOM is the larger picture: it defines what objects the application may use and it also relates to the browser's parser. In terms of custom applications, it seems to me that there will be many interesting purely client side security vulnerabilities as these components communicate with one another.
Popularity: 20%
