AJAX Security - Client Side Validation Is For Usability Only, Not For Security

“As to methods there may be a million and then some, but principles are few. The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble.”

Ralph Waldo Emerson

AJAX is another technique among myriads of others to present information and to send it back to server.

In Driver's Guide vs. Owner's Manual JD Meier provides great run down about the difference between "How things work" vs. "How to get most out of it".

Here is an example of how to apply it in practice:

In ASP.NET AJAX Role Application Service – Visual Studio 2008 (Orcas) David walks through new feature introduced in Orcas - AJAX Roles service. It provides also some sample. This is Owner's Manual explaining how things work:

function onLoadRolesCompleted(result, userContext, methodName){ if (Sys.Services.RoleService.isUserInRole("Administrator")){ $get("adminView").style.display = "block"; } }

In ASP.NET AJAX Roles and Security Michael comments on the above features pointing out the importance of server side role membership validation. This is Driver's Guide for safe and secure driving:

"You have to test ALWAYS on the server-side code if the user has the needed user rights to execute your code."

Some server side techniques to test server side code:

• Input and Data Validation
• Authentication and Authorization

Here is another example for not following core security principle of server side validation:

• How To Hack WCF - New Technology, Old Hacking Tricks

Comments

• Anonymous
  October 03, 2007
  PingBack from http://www.artofbam.com/wordpress/?p=4813
• Anonymous
  December 17, 2007
  This post walks through the steps I've taken to create simple Dynamic Data Web Application. I just loved
• Anonymous
  December 17, 2007
  This post walks through the steps I've taken to create simple Dynamic Data Web Application. I just
• Anonymous
  December 30, 2007
  How to dynamically populate the content of a control based on Web Service call triggered by another control?
• Anonymous
  December 30, 2007
  How to dynamically populate the content of a control based on Web Service call triggered by another control
• Anonymous
  February 18, 2008
  How to consume WCF services directly from Html client? How to add AJAX-like functionally to application