People say this is so horrible that someone can take over this request so easily. But these people need to realize that the XMLHttpRequest is nothing more than a normal form submission. You can picture it as a form being submitted in another frame. Act like there are form tags and hidden text fields on the page. With a view source of any normal HTML form, we can grab the element names and see the parameters being sent to the server. We can look at the action attribute and see where we are submitting the data. So just like how we can see the XMLHttpRequest object, we can see the same thing on any Web page. Why is it important to do validation on the server?
Look at the Ajax worm that Samy wrote on MySpace.com [In October of 2005, a teenager, "Samy," released a self-propagating Ajax worm to MySpace, a social network.] That is a big security threat on a major Web site that used Ajax. Well, you have to realize that the author of this worm injected into a Web page by getting around the server-side security check. Now the author of this worm could have easily changed the code to grab user information and submit it to a hidden iframe on a page to an outside server. The XMLHttpRequest object would not be able to do that submission to another domain. So you have a little more to fear about a normal form than an XMLHttpRequest.
Pascarello's Rules of Thumb for Ajax Security:
- If you use user authentication, make sure you check for it on the request page!
- Check for SQL injections.
- Keep the business logic on the server!
- Don't assume every request is real!
- Check the data with validation!
- Look at the request's header information and make sure it is correct.