Re: AJAX Security
Thanks... nice read. So the easiest way to add another layer of Ajax security is the Prefix serialized JSON option in CF Admin but from I understand, it won't break anything either right? Sort of like the supress white space function. Have you seen my blog posts on CF8 and Ajax Security? http://www.coldfusionjedi.com/index. cfm/2007/7/31/ColdFusion-8-Ajax-Security-Features On 8/30/07, Andy Chen [EMAIL PROTECTED] wrote: Not sure how many attended but I attended today's eSeminar - Beyond HTML: using Ajax, PDF, and more to create engaging applications with ColdFusion 8. Some people were worried about AJAX security and how easy it is to hack RIA (Rich Internet Applications). My take is AJAX is almost like a web service. It allows you to access common information easily. Anything which writes to a database, I have more checks in place (checking UUIDs and various form fields) to prevent someone from just messing around with it. For my current project, it's an intranet one so I am not too worried about security but is there something even more dangerous that I might be missing when using AJAX that I might not of thought about? ~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:287528 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: AJAX Security
Right - CF - when it generates JS code, will know it needs to strip prefixes. On 8/31/07, Andy Chen [EMAIL PROTECTED] wrote: Thanks... nice read. So the easiest way to add another layer of Ajax security is the Prefix serialized JSON option in CF Admin but from I understand, it won't break anything either right? Sort of like the supress white space function. Have you seen my blog posts on CF8 and Ajax Security? -- === Raymond Camden, Camden Media Email: [EMAIL PROTECTED] Blog : www.coldfusionjedi.com AOL IM : cfjedimaster Keep up to date with the community: http://www.coldfusionbloggers.org ~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:287529 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: AJAX Security
Hi Andy, Apart from Ray's feedback, also keep in mind that the security issues with Ajax typically stem from using eval() on JSON packets and external JS scripts. While not all-inclusive, of late this has been the biggest attack vector for hackers looking to exploit JS weaknesses. This article will give you some additional info: http://www.ibm.com/developerworks/library/x-ajaxsecurity.html Rey... Andy Chen wrote: Thanks... nice read. So the easiest way to add another layer of Ajax security is the Prefix serialized JSON option in CF Admin but from I understand, it won't break anything either right? Sort of like the supress white space function. Have you seen my blog posts on CF8 and Ajax Security? http://www.coldfusionjedi.com/index. cfm/2007/7/31/ColdFusion-8-Ajax-Security-Features On 8/30/07, Andy Chen [EMAIL PROTECTED] wrote: Not sure how many attended but I attended today's eSeminar - Beyond HTML: using Ajax, PDF, and more to create engaging applications with ColdFusion 8. Some people were worried about AJAX security and how easy it is to hack RIA (Rich Internet Applications). My take is AJAX is almost like a web service. It allows you to access common information easily. Anything which writes to a database, I have more checks in place (checking UUIDs and various form fields) to prevent someone from just messing around with it. For my current project, it's an intranet one so I am not too worried about security but is there something even more dangerous that I might be missing when using AJAX that I might not of thought about? ~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:287531 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: AJAX Security
Hi Rey, The information from your link is excellent. Since my current project is internal and we aren't using any external JSON sources, some of the security warnings may not be applicable. However I do see how dangerous it could be for an external site and double so for those which are doing E-commerce or anything with $$. Thanks... Hi Andy, Apart from Ray's feedback, also keep in mind that the security issues with Ajax typically stem from using eval() on JSON packets and external JS scripts. While not all-inclusive, of late this has been the biggest attack vector for hackers looking to exploit JS weaknesses. This article will give you some additional info: http://www.ibm.com/developerworks/library/x-ajaxsecurity.html Rey... Andy Chen wrote: ~| ColdFusion 8 - Build next generation apps today, with easy PDF and Ajax features - download now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:287540 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: AJAX Security
Have you seen my blog posts on CF8 and Ajax Security? http://www.coldfusionjedi.com/index.cfm/2007/7/31/ColdFusion-8-Ajax-Security-Features On 8/30/07, Andy Chen [EMAIL PROTECTED] wrote: Not sure how many attended but I attended today's eSeminar - Beyond HTML: using Ajax, PDF, and more to create engaging applications with ColdFusion 8. Some people were worried about AJAX security and how easy it is to hack RIA (Rich Internet Applications). My take is AJAX is almost like a web service. It allows you to access common information easily. Anything which writes to a database, I have more checks in place (checking UUIDs and various form fields) to prevent someone from just messing around with it. For my current project, it's an intranet one so I am not too worried about security but is there something even more dangerous that I might be missing when using AJAX that I might not of thought about? ~| ColdFusion 8 - Build next generation apps today, with easy PDF and Ajax features - download now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:287498 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
