Saw this article about AJAX security on Slashdot today. There is some interesting info in there, but the author seems to be too focused on security through obscurity and other dead-end tactics. True it is harder to spoof POST requests than it is to spoof GET requests, but either type of request CAN be spoofed, so you have to take that into account on the server side. Checking the “Referrer” header adds essentially NO security to an application because anything in the request is just bits coming across the wire. “Referrer” headers, cookies and any HTTP parameters (GET or POST) can be faked, so the server applications themselves need to be designed around this. Security starts – and ends – on the server side when it comes to ANY web application. This goes for standard web applications, AJAX applications and web services.
I will be presenting to the OWASP San Antonio chapter about AJAX security on April 19th, 2006. More information can be found here, or feel free to drop me an email. This should be a fun and informative presentation and Denim Group will be releasing an open source tool called “sprajax” that will help with assessment and auditing of AJAX applications.
–Dan
dan _at_ denimgroup.com