AJAX is all the rage, but it can’t do everything people want it to do. For example, AJAX code from one site can’t access another site. The limitation is related to security… but recently Lucas Carlson set out to debunk cross-domain AJAX security myths.
Lucas Carlson does a good job of debunking some of the claimed security problems of AJAX, but he makes one big mistake in saying: “Cross-domain Ajax does not introduce any new security concerns.”
- Bob@bigcompany unknowingly downloads the evil JS code from evilwebsite.com
- the evil JS code runs a cross-domain AJAX query to directory.bigcompany.com, which it can now do because it’s running inside the firewall.
- the JS code then packages up the resulting directory information and ships it back to evilwebsite.com.
Taken to its logical extreme, cross-site AJAX means that anyone surfing from behind a firewall might become an unwilling proxy for a remote attacker, letting this attacker browse the web as if he were inside the firewall. Sure, it would be better if all internal services were password-protected, but the fact remains that this is a totally different game, now that this evil code can query within the firewall and send that data back to its originating server surreptitiously.
Lucas should correct his post, especially since the rest of his article is good and correctly debunks other security fears.