18.3. AJAX-Enabled Application Threats
The introduction of Web 2.0 and the need for AJAX techniques to improve responsiveness and user experience have made the web application more vulnerable to attack. This section discusses some of the threats that an AJAX-enabled application might face from attacks. The focus is on the ASP.NET AJAX 3.5 when discussing the different threats that an AJAX-enabled Web application faces.
18.3.1. Information Leakage
As you know, ASP.NET AJAX allows the client-side JavaScript code to call web methods that are located in web services on the server-side. Hence, a JavaScript function on the browser can call asynchronously a web service, as if the server-side method is on the client-side. When you add a reference to a web service into the ScriptManager instance on the page, the ASP.NET AJAX engine creates a client-side proxy class similar to the server-side proxy class. And your JavaScript code now has a client-side class that acts as a proxy to the web service on the server-side.
The proxy class contains the methods that your client-side code can call from the browser using JavaScript. To view the client-side proxy, run the web service in a browser and append the /js extension to the web service URL. This URL is the URL of the client-side proxy class. It lists all the methods of the web service in the form of JavaScript functions that you can call asynchronously from the client-side. ASP.NET AJAX brought great flexibility to web applications, since ...
Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.