[Catalyst] implementing ajax

Mesdaq, Ali amesdaq at websense.com
Wed Mar 12 22:07:59 GMT 2008 

The format of the data does not really have much to do with security in
this case. The assumption is being made here that you have proper
authentication and control over the data. For example if your pulling up
a list of inventory items that's from your database that are only
inserted by you then its much easier to work with the data if its json.
You would not pull json data if its user created content. I think the
proper use of ajax in most web apps is for UI items that are not
sensitive but help in navigation of a site. The methods that serve the
data should also have these considerations in place. You might create a
ajax method that you post and ID to and get important account
information. Well that is just an insecure thing to do in the first
place and it doesn't matter if you make it json, xml, or a plain html
page.

Was there anything I am missing about other implications of json being
insecure? 

Thanks,
------------------------------------------
Ali Mesdaq (CISSP, GIAC-GREM)
Security Researcher II
Websense Security Labs
http://www.WebsenseSecurityLabs.com
------------------------------------------

-----Original Message-----
From: Matt Pitts [mailto:mpitts at a3its.com] 
Sent: Wednesday, March 12, 2008 6:48 AM
To: The elegant MVC web framework
Subject: RE: [Catalyst] implementing ajax

I'm going to have to be the red-headed stepchild that advocates XML...

> -----Original Message-----
> From: Mesdaq, Ali [mailto:amesdaq at websense.com]
> Sent: Tuesday, March 11, 2008 5:19 PM
> To: The elegant MVC web framework
> Subject: RE: [Catalyst] implementing ajax
> 
> Jennifer,
> 
> Are you sure you want to stick with this route? Looks like your going 
> to make a lot of work for yourself. I would hate to see the js code to

> make xml. Use the js code to just post the values you want read those
values

I can't speak too much on the generation of XML on the client, but I do
advocate the use of POST rather than uploading an XML body. Most of the
popular JS toolkits make this quite easy.

> Why would you want to use JSON? Because javascript can just read it 
> straight in and you can use it without having to parse anything. Your 
> js would just eval the returned json content and use it. If you return
xml
> you will need to parse it out and just makes a lot of work.

The main reason against JSON for me is security. Something that can be
eval'd is very dangerous and I'm sure we're all aware of the cross-site
vulnerabilities that take advantage of JSON returned data. The one thing
that's always mentioned as total failsafe against it is to *not* use
JSON as your returned data structure.

As far as parsing the XML, that's why I use ExtJS. I can define a Store
and use XPath to map Record fields to my XML data - ExtJS does the rest.
It's a bit like having a Model of my data on the client side.

Just my 2 cents.

v/r
-matt pitts

_______________________________________________
List: Catalyst at lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive:
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


 Protected by Websense Messaging Security -- www.websense.com

More information about the Catalyst mailing list