Developers need
to be aware that allowing HTTP GET requests opens their applications to JavaScript
hijacking attacks.
While the HTTP GET method should be avoided in favor of the HTTP POST method,
an entirely different serialization format should be used as well. If security is a concern for
web applications using the Dojo Toolkit, using XML as the serialization format instead of
JSON is recommended as a defense in depth. Due to the very nature of JavaScript Hijacking
attacks, using XML as the data serialization format is a protection against them.
JQUERY
jQuery (http://jquery.com/) is a client framework that aids in the development of AJAX
web applications. JQuery offers developers the ability to manipulate multiple elements
in the DOM through the chainable jQuery object. Since jQuery is solely a client-side
library of JavaScript functions, it can work with any server-side technology in which a
web application might be written, such as PHP or Java.
Serialization Security
jQuery, by default, provides the user with four types of serialization formats: json, xml,
html, and script. If either the json or script type are used with the application, it will by
default be vulnerable to JavaScript hijacking.
Pages:
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341