This document will provide a starting point for AJAX security and will hopefully be updated and expanded reasonably often to provide more detailed information about specific frameworks and technologies.
The use of .innerText
will prevent most XSS problems as it will automatically encode the text.
eval()
function is evil, never use it. Needing to use eval usually indicates a problem in your design.
When using data to build HTML, script, CSS, XML, JSON, etc. make sure you take into account how that data must be presented in a literal sense to keep its logical meaning.
Data should be properly encoded before used in this manner to prevent injection style issues, and to make sure the logical meaning is preserved.
Check out the OWASP Java Encoder Project.
Least ye have forgotten the user controls the client side logic. I can use a number of browser plugging to set breakpoints, skip code, change values, etc. Never rely on client logic.
Just like the security one, make sure any interesting business rules/logic is duplicated on the server side less a user bypass needed logic and do something silly, or worse, costly.
This is hard and even a small mistake can cause large security issues. There are already a lot of frameworks to provide this functionality.
Take a look at the JSON page for links.
Just like building HTML or SQL you will cause XML injection bugs, so stay way from this or at least use an encoding library or safe JSON or XML library to make attributes and element data safe.
Anything the client knows the user will also know, so keep all that secret stuff on the server please.
Use TLS/SSL and encrypt on the server!
This is the overall one that gets me out of trouble in case I missed something :)
Take a look at the Cross-Site Request Forgery (CSRF) Prevention cheat sheet.
See the JSON Vulnerability Protection section of the AngularJS documentation.
Always have the outside primitive be an object for JSON strings:
Exploitable:
[{"object": "inside an array"}]
Not exploitable:
{"object": "not inside an array"}
Also not exploitable:
{"result": [{"object": "inside an array"}]}
Look for an existing library that has been reviewed.
Even though you only expect your AJAX client side code to call those services the users can too.
Make sure you validate inputs and treat them like they are under user control (because they are!).
Use the framework and be safe, do it by hand and have security issues.
You need to use a 3rd party library to validate web services.
Til Mas
Michael Eddington