Serialization Security
Due to the very nature of client-side AJAX frameworks, the available attack surface as
compared with server-side frameworks is greatly reduced. This is because server-side
frameworks must deal with exposing methods to clients, handling debugging, and
providing protection against common security threats such as CSRF and JavaScript
hijacking. Client-side frameworks, on the other hand, are primarily focused on providing
easy-to-use widgets for UI development and abstracting away browser-specific
XMLHTTPRequest issues. For this reason, the primary area in which client-side frameworks
can help or hinder security of a web application is their data serialization format.
The Dojo Toolkit, by default, uses the JSON serialization format, which can easily
lead to susceptibility to JavaScript hijacking attacks. Fortunately for developers, the
default method of submitting requests to the server is with HTTP POST. This can help
limit the exposure of JavaScript hijacking attacks if the web application server is then
built to support only HTTP POSTs; however, developers often substitute the use of the
HTTP GET method for HTTP POST due to performance and ease of use.
Pages:
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340