[development] AJAX security issue

Khalid Baheyeldin kb at 2bits.com
Tue May 8 04:31:32 UTC 2007

On 5/7/07, David Metzler <metzlerd at metzlerd.com> wrote:
> True enough, but that being said, there's not a fundamental
> difference between having an ajax script call a php page that checks
> to see if a username has been taken, and having a a web form perform
> the same validation.  So don't assume that Ajax is the problem here,
> just realize that it doesn't provide any additional security either.

The difference is that in AJAX (as most commonly used), if you type "aa",
then all the users with names beginning with Aa will show up for you, then
you do "Ab", and get a list, then "Ac", ...etc.

This does not happen in a normal not AJAXified form. All you can get
is whether the full name you chose exists or not.


If this data is sensitive, then just don't reveal it. Also, check that there
is sufficient delay before retrieving results, so as not to get DoS attacks
by asking for the data too quickly, overloading the database.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20070508/17602c93/attachment.htm 

More information about the development mailing list