This is because the HTTP GET method is
188 Hacking Exposed Web 2.0
the default request method used in the jQuery framework. Due to the default usage of
HTTP GET, web application servers hosting jQuery applications will often be open to the
HTTP GET method. Developers should ensure that only the HTTP POST method is used
by the servers hosting their web applications.
In addition to using HTTP POST, developers should avoid the json and script
serialization formats entirely. In their place, developers should use the xml or html
serialization provided by jQuery. This serialization choice will ensure a defense in depth
against JavaScript hijacking attacks when used in addition to other protections.
SUMMARY
The shift to AJAX-style functionality can change the attack surface of web applications.
While web applications in the past clearly defined what information was exposed to the
user, changing to a Web 2.0??“style application can make this definition far less clear. As
developers shift to incorporating AJAX frameworks into their web applications to add
AJAX functionality, they need to test for issues such as unintentional method exposure
and debug functionality.
In addition to unintentional exposures, AJAX developers also need to be aware of
exactly what levels of protection their AJAX framework offers.
Pages:
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342