Spry :: AJAX JavaScript Hole
December 28 2006 by 
Andrew Powell
I was playing around with one of my examples earlier today and figured out that there is a bit of a hole in javascript, not so unknown, that can be used to manipulate Spry datasets.
I was looking at this example. When the page loaded, i put this into the address bar:
javascript:dsPlayers.sort("name", "toggle");
This triggered, as expected, the sort method on the dataset. Other dataset functionality, such as loadData() can be called this way as well. This has the potential to be an exploit on any type of AJAX application, not just Spry. Spry is shown here because of the easily accessed methods in the dataset object, but any AJAX application is potentially vulnerable.
There is no clean way around this little niggling issue because it's a fundamental piece of the browser and javascript.
Posted in General | Spry | AJAX | 
2 comments
Dec 28, 2006 at 12:00 AM Anything residing in the client side can be tampered with. There are several layers in an Ajax App: View, Ajax Engine, UI Logic, Business Logic, and Data. Even though Ajax stands for Async JavaScript and XML, it doesn't mean that your app has to be fully developed in JS. It is perhaps a common mistake to migrate too much business (or any) logic to JS. That said, if you keep all your business logic in the server and only send UI logic to the client side, the most they can hack is their own presentation layer, which does not make your Ajax app vulnerable.
Cheers
Dec 29, 2006 at 12:00 AM I agree with Rob. You should put your security on the server. Client HTML/Javascript isn't secure. Now you could put your presentation layer in Flex! It's just a matter of where you want to go to get your app working. (Note... a hacker could intercept the stream going between the browser and the server also. So even if you do Flex it would still be right to run validation at the server.)
This is also a great way to embed functions into hyperlinks if someone reads this post and hasn't learned the cool little trick. Inside the HREF you put this same approach and then you don't need to use onClick.