2

I am creating a website which until now is pure PHP. I was thinking that since very few people do not have JavaScript enabled (which I wonder why!) maybe I should create my website as a fully PHP site without any AJAX. Am I thinking wrong?

Just to be sure, if I implement some AJAX would it increase the risk of my site getting breached?

Should I be even worried about this and start using AJAX?

Stephen Kennedy
  • 20,585
  • 22
  • 95
  • 108
user3157444
  • 53
  • 7
  • Using ajax will not degrade your site security, unless you will do it wrong, just like you can make security issues in a non ajax request. Unless you are sure that a large number of your site visitors will not have js enabled, I would not take no-js clients into account. – Ron Dadon Jun 06 '15 at 12:37
  • 1
    In this day and age, if you have javascript disabled most of the websites don't work. I don't have the statistics but it's something I don't even consider anymore as a software developer (unless you have regulations or standards you are forced into complying with). – John Cartwright Jun 06 '15 at 12:47
  • While that may be true, progressive enhancement is still so much better than just ignoring non-JS users altogether. There's rarely a reason to implement a feature that completely relies on JS imo. Most things can be done without (and usually the code is more elegant for it). Don't go bananas and change every link and form so they mean nothing in pure HTML. Building with PE ensures it works _everywhere_ and great SEO is just a bonus. http://bradfrost.com/blog/post/on-progressive-enhancement/ – powerbuoy Jun 08 '15 at 12:02

3 Answers3

5

AJAX itself will not increase or decrease the security of your site, at least if its implementation is elaborate. The client (browser) will have turned JavaScript on or off. If it is turned on, there may be more insecurities on the client side, but this won't affect your server and hence your site.

Nevertheless, you should of course implement your AJAX entry points securely (this server side files that are accessed by AJAX requests). Two of the most important rules of thumb you should keep in mind are:

  • Treat every user input (whether coming in via AJAX or not) as potentially "evil" and therefore validate it thoroughly and use database escaping, ... Do NOT rely on client-side validation only!
  • A good website should offer all the possibilities accessible with javascript enabled also without it. Surely, this is not always possible, but one should try it at least.

I would suggest using a framework (depending on what background technology you are using, like PHP, Java, Perl) supporting AJAX, which will make the whole thing much easier for you. Also, you should maybe search for something like "securing AJAX applications" to get more detailed information on the topic.

ahuemmer
  • 1,653
  • 9
  • 22
  • 29
4

Ajax is not inherently secure or insecure.

It does however open up 'opportunities' for insecure code. A mistake I commonly see is as follows:

  • The user is authenticated in code-behind when the page is loaded

  • A user id or other credentials are rendered out and picked up by JavaScript

  • These (totally unauthenticated) credentials are sent back over the wire by Ajax and not checked server side. Very easily hacked even with a simple tool like Fiddler!

You must apply the same level of security to your web methods/web API as you would elsewhere in your site. If you do, Ajax should be no more or less secure than 'regular' web pages. Things to watch out for include:

  • Proper authentication and authorisation checks in your web services or API

  • Anti-SQL injection measures

  • HTTPS if transmitting personal or sensitive data

Ajax makes websites more responsive and is pervasive across the modern web. Take care with security, and degrade gracefully for non-JS-enabled visitors if you expect a significant number of visitors to have JavaScript turned off or if any lost visitor is not acceptable to you, and you should have nothing to fear.

Stephen Kennedy
  • 20,585
  • 22
  • 95
  • 108
1

I am creating a website which until now is pure PHP. I was thinking that since very few people do not have JavaScript enabled (which I wonder why!) maybe I should create my website as a fully PHP site without any AJAX. Am I thinking wrong?

I would say most people do have JavaScript enabled. Probably 2% at most have it disabled according to this post from 2012.

Just to be sure, if I implement some AJAX would it increase the risk of my site getting breached?

Yes, technically it does. More code = more chance of bugs, and security bugs will be a subset of these.

You will also be increasing the attack surface of your application, as you will be generally be implementing more server-side handlers for user actions to be executed asynchronously.

There is also more chance of client side bugs being prevalent such as XSS (particularly more chance of DOM based XSS bugs sneaking in there).

Should I be even worried about this and start using AJAX?

You should be "rightfully concerned" rather than worried. The increased risk is considered acceptable by most sites, even high security systems such as banking applications. If implemented correctly it is possible for your site to remain "just as secure" as it was without AJAX.

As with anything web-based, pay particular attention to the OWASP Top 10 and follow secure coding practices to minimise the risks. It is always advisable to get a security assessment carried out by an external company to pickup anything you've missed, although this can be expensive.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145