In the case of CSRF
attacks, while users of DWR 2.x are automatically protected, users of other major
frameworks such as GWT, Xajax, and Sajax are not. Sometimes, design decisions in the
AJAX framework will lead to additional security benefits. For example, in the case of
JavaScript hijacking, DWR is automatically protected due to added security measures,
while Xajax is automatically protected due to its use of XML as a serialization format. For
this reason, it is recommended that developers using client-side frameworks such as
Prototype and Dojo Toolkit make use of XML as a serialization format as an added
security layer.
Regardless of which framework developers choose, the same format should be
followed for analyzing any potential security impact. Developers should become familiar
with the behavior of their AJAX framework and exactly what protections, if any, their
framework offers. For any protections not provided through the framework, defenses
should be added to the application.
189
CASE STUDY: WEB 2.0 MIGRATION EXPOSURES
During a typical web technology migration, the traditional concerns that spring to mind are
reliability and performance. Developers will often hope that things will ???just work,??? although
they may worry that the new technology will cause their web application to crash
right from the start.
Pages:
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343