Skip to Main Content
Securing Ajax Applications
book

Securing Ajax Applications

by Christopher Wells
July 2007
Intermediate to advanced content levelIntermediate to advanced
256 pages
6h 19m
English
O'Reilly Media, Inc.
Content preview from Securing Ajax Applications

XML

The Extensible Markup Language (XML) is a markup language for describing information in documents in a structured way. XML is human readable, which makes it desirable from a development and integration point of view. What makes XML structured is that documents contain both content and metadata that describes that content.

Almost all documents have some structure, so XML is a great way of standardizing that structure into one common format. In web applications, XML is the preferred data exchange format and serves as the foundation of many web protocols and data interchange formats.

XML does not, by itself, have any security features. The following are examples where the use of XML can lead to vulnerabilities.

Input Validation

All information from web requests (or request made outside your network) that are not validated before being used in a web application should be considered tainted. This includes XML. Attackers can exploit vulnerabilities and use these flaws to attack backend components through a web application.

If XML data is accepted as input to a web application it is possible for an attacker to alter the values embedded in the XML to attack the system.

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE greeting [
  <!ELEMENT greeting (#PCDATA)>
]>
<greeting><script>alert('Gotcha!');</script></greeting>

As with all input data, XML data should also be validated before it used. This is particularly true when the XML is being used in the browser, as in the case of Ajax.

Authentication ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

Ajax Security

Ajax Security

Billy Hoffman, Bryan Sullivan
Firefox Hacks

Firefox Hacks

Nigel McFarlane

Publisher Resources

ISBN: 9780596529314Errata Page