Darren
09-28-2007, 06:10 PM
I've been modifying my project's intranet site to use AJAX and so far I'm very happy with it. I just got hit by a memo from one of my company's security technicians saying we shouldn't be using AJAX as it is a security risk. Let me quote the relevant part of the memo...
AJAX is particularly problematical, as it combines JavaScript and ActiveX controls, the latter of which allows scripts written in the former to escape the browser security sandbox and gives ActiveX-level access to the client system.
The only activex control used by ajax is the http request object (we are an all-IE installation), which isn't an 'executable'. I'm not a security guy, but my instinct tells me that the assessment is wrong. AJAX shouldn't be any less secure than any other site that uses JavaScript. Am I wrong on this?
I'm going to need to formulate a response, or I'm about to lose 3+ months of work upgrading the intranet site.
Darren
Are you using ie6 or 7? In IE7, it supports xmlhttprequest natively, which means no "new ActiveXObject".
Darren
09-28-2007, 06:34 PM
Are you using ie6 or 7? In IE7, it supports xmlhttprequest natively, which means no "new ActiveXObject".
We are using IE6. I am aware that we create the xmlHttpRequest object via new ActiveXObject(...), but I, in my limited understanding of active x, wouldn't think that the xmlHttpRequest object runs any code, or somehow allows javascript to escape the sandbox. That active x control is already present on the client. I thought the fear of active x controls is when the web site sends an active x control to the client. The xmlHttpRequest is an active x control that already exists on the client (build into IE) and if it was exploitable, they don't need my use of AJAX to do that. Am I wrong on that?
Darren
I avoid activeX and stick to standards compliant javascript when ever possible so I'm not the best person to answer that. But, AJAX is a pretty standard feature to have in web sites these days and if there was a major security flaw with the implementation, then we would all know about it.
What size company do you work for? How many people? The reason I ask is that it may be worth it to ditch IE 6 for something better like Firefox, Opera, or even IE7 (not my favorite). IE6 has tons of problems and causes more trouble than its worth.
Basscyst
10-02-2007, 06:32 PM
As a sys admin, he controls the sandbox. He can set rules as to what types of Active-X contols are allowed and how the browser reacts when they are initiated. If the company doesn't wish to allow them, they need to stop them for all users. Telling you "Oh, you can't use that because it's insecure." does absolutley nothing to prevent their usage by third party sites, or just some script kiddy working customer care.
Accepting signed Active-X controls has very little risk. If they are still worried, they can completley block it. Then your site can be added to the trusted sites where an exception can be made and your code can run as normal.
There are security risks when working with AJAX, but they aren't do to IE 6's Active-X control for the request object, and they differ little from utilizing a normal form post or query string.
Active-X controls can cause a security risk, utilizing the files system for example, however this throws a warning as soon as it is executed, by default and can be blocked completly without turning off your access to the request object. So like many sys admins, "I don't really get it, so ban it all." :p
I've been in your boat before, and it's pretty darned irritating, hope it works out for ya.
