Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    May 2005
    Posts
    59
    Thanks
    3
    Thanked 0 Times in 0 Posts

    AJAX, security, and ActiveX controls

    I've been modifying my project's intranet site to use AJAX and so far I'm very happy with it. I just got hit by a memo from one of my company's security technicians saying we shouldn't be using AJAX as it is a security risk. Let me quote the relevant part of the memo...

    AJAX is particularly problematical, as it combines JavaScript and ActiveX controls, the latter of which allows scripts written in the former to escape the browser security sandbox and gives ActiveX-level access to the client system.
    The only activex control used by ajax is the http request object (we are an all-IE installation), which isn't an 'executable'. I'm not a security guy, but my instinct tells me that the assessment is wrong. AJAX shouldn't be any less secure than any other site that uses JavaScript. Am I wrong on this?

    I'm going to need to formulate a response, or I'm about to lose 3+ months of work upgrading the intranet site.

    Darren

  • #2
    eak
    eak is offline
    Regular Coder eak's Avatar
    Join Date
    Jun 2002
    Location
    Nashville, TN
    Posts
    354
    Thanks
    0
    Thanked 26 Times in 26 Posts
    Are you using ie6 or 7? In IE7, it supports xmlhttprequest natively, which means no "new ActiveXObject".
    eak | "Doing a good deed is like wetting your pants; every one can see the results, but only you can feel the warmth."

  • #3
    New Coder
    Join Date
    May 2005
    Posts
    59
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by eak View Post
    Are you using ie6 or 7? In IE7, it supports xmlhttprequest natively, which means no "new ActiveXObject".
    We are using IE6. I am aware that we create the xmlHttpRequest object via new ActiveXObject(...), but I, in my limited understanding of active x, wouldn't think that the xmlHttpRequest object runs any code, or somehow allows javascript to escape the sandbox. That active x control is already present on the client. I thought the fear of active x controls is when the web site sends an active x control to the client. The xmlHttpRequest is an active x control that already exists on the client (build into IE) and if it was exploitable, they don't need my use of AJAX to do that. Am I wrong on that?

    Darren

  • #4
    eak
    eak is offline
    Regular Coder eak's Avatar
    Join Date
    Jun 2002
    Location
    Nashville, TN
    Posts
    354
    Thanks
    0
    Thanked 26 Times in 26 Posts
    I avoid activeX and stick to standards compliant javascript when ever possible so I'm not the best person to answer that. But, AJAX is a pretty standard feature to have in web sites these days and if there was a major security flaw with the implementation, then we would all know about it.


    What size company do you work for? How many people? The reason I ask is that it may be worth it to ditch IE 6 for something better like Firefox, Opera, or even IE7 (not my favorite). IE6 has tons of problems and causes more trouble than its worth.
    eak | "Doing a good deed is like wetting your pants; every one can see the results, but only you can feel the warmth."

  • #5
    Smokes a Lot
    Join Date
    Jul 2003
    Location
    CA, USA
    Posts
    1,594
    Thanks
    5
    Thanked 20 Times in 20 Posts
    As a sys admin, he controls the sandbox. He can set rules as to what types of Active-X contols are allowed and how the browser reacts when they are initiated. If the company doesn't wish to allow them, they need to stop them for all users. Telling you "Oh, you can't use that because it's insecure." does absolutley nothing to prevent their usage by third party sites, or just some script kiddy working customer care.

    Accepting signed Active-X controls has very little risk. If they are still worried, they can completley block it. Then your site can be added to the trusted sites where an exception can be made and your code can run as normal.

    There are security risks when working with AJAX, but they aren't do to IE 6's Active-X control for the request object, and they differ little from utilizing a normal form post or query string.

    Active-X controls can cause a security risk, utilizing the files system for example, however this throws a warning as soon as it is executed, by default and can be blocked completly without turning off your access to the request object. So like many sys admins, "I don't really get it, so ban it all."

    I've been in your boat before, and it's pretty darned irritating, hope it works out for ya.
    Last edited by Basscyst; 10-02-2007 at 07:50 PM.
    Helping to build a bigger box. - Adam Matthews


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •