What types of security measures should I take while developing an ajax-driven application?

Question

Let's say you were building a multi-step ( 5 part ) booking engine that had a fully working backend but had a layer of ajax, where you can go through all 5 steps in the initially loaded page. The steps would be:

1. input dates and specify availability information
2. availability results where you can choose rooms
3. input your information including credit card information
4. confirm information and availability
5. confirmation information to print

I'd assume you'd want to keep the whole site on an https protocol, I'm not quite sure what types of measures I need for encrypting or securing ajax calls while I'm loading in data and submitting the form that contains the credit card information.

Answer 1

To your server, AJAX requests are identical to regular HTTP/HTTPS requests. An attacker can purposefully browse to any AJAX URL and see the result. So, the primary answer is: any security mechanism you'd use for a non-AJAX website, you must also enforce on AJAX-driven requests. This includes all the authentication and authorization steps to prevent session hijacking, forceful browsing, and CSRF.

Beyond that, with extensive use of JavaScript and AJAX you are more susceptible to JavaScript injection. Encapsulating and escaping JavaScript and JSON is trickier than standard HTML.

Lastly, there are a few XML-driven attacks to be wary of when using XML based AJAX, notably the Billion Laughs Attack and XML injection.

The Web Security Testing Cookbook has a chapter on securing AJAX:

http://books.google.com/books?id=VmrSJ3V-s_MC&lpg=PP1&dq=web%20security%20testing%20cookbook&pg=PA197#v=onepage&q=chapter%2010&f=false

Answer 2

read this - it's excellent http://www.amazon.com/Ajax-Security-Billy-Hoffman/dp/0321491939/ref=tmm_pap_title_0