I keep hearing things from other developers, that AJAX is very vulnerable and prone to hacking. Please share some thoughts on this.
the tl;dr answer would be:
At least the majority of developers think that the benefits outweigh the risks. .... and the others don't even know what you're talking about.
it is like vaccination, there are proven issues still the majority of the medical community thinks the benefits outweigh the risks. Where we could now have a philosophical debate ...
the long answer:
hmmm isn't everything prone to hacking ?
I'm not really part of the hacker community, but I love to see them work :) If you look the video posted below, one logical question would be:
obviously every exposure of your application that is not sanitized and validated is a security risk per default this goes for the client and the server.
I will not go into CORS or other forms of poisoning or man in the middle attacks and the issues of certain ciphers.
Even if you can make your application secure you still have things like: https://xkcd.com/1354/
which are core library bugs and you have to keep your infrastructure secure.
Ofc if you're like me you never transport any password in clear-text with nice libs like cryptojs everything is hashed and salted.
but this is overkill for the normal person ;) don't forget that almost every big cert company in the world at least once leaked the master key ... which is how much you should trust the google SSL initiative and the "chain of trust" ;D ... but in the end ... deal with the fact:
Absolute security is an illusion and we have to make certain trade offs between security and features/ux/speed/space/......
Lets give some beneficial reasons why we use it:
lazyloading -> loading only what you need when you need is a nice idea this reduces the amount of bits transfered at once you have to be aware of the "cold-start" https://en.wikipedia.org/wiki/Cold_start which is one consequence.
the amount of data transfered from server to client and back again. in a classic request response model, lets ignore reverse content proxies and cdns, the server renders for example the HTML and delivers the css, js and so on. and this on every page change.
Non blocking behaviour, this is per se not really relevant for ajax but in combination with ajax it's allows us to lazyload with the cache manifesto and give you the impression that you actually move freely inside of you application and if you abort and go back we still load the content and maybe the next time you click on that button it's already there.
those are the three reasons that come to mind. I will skip websocket security as I mentioned my knowledge is rather superficial in this area.
I hope this answer helps a little.
Marco Alka
Software Engineer, Technical Consultant & Mentor
First of all, AJAX is not vulnerable or prone to hacking. It is just a mechanism to fetch content from a server via JavaScript in the background.
The stuff which is vulnerable might be the website itself, maybe because it has an XSS bug, which lets attackers inject code into the site, which then is able to leverage AJAX and other APIs in order to do stuff, like DDoSing someone or transmitting credentials to a third party.
It might also happen, that the server side is not secure. There might be someone who got access to an ad-network, so they then distribute malicious code to your visitors, because you placed ads on your homepage. Again, that's not the fault of AJAX or any API, but rather because of a flaw in the application or some implementation itself!
Since there are always a lot of bugs everywhere, developers started to think about ways to at least reduce stupid fails. Today, we have Unit Tests with code coverage, which at least guarantee that your application does the right thing in all situations you can think of. Additionally, clever heads come up with new languages, like Rust, and advanced error handling techniques, like Monad error handling, which enforce a high level of security. In addition to that, there are quite many efforts to standardize (web) security in an open fashion. There are projects, like ASVS and AppSensor on OWASP.
All in all, security has never been better and I can guarantee you that the simple AJAX standard (or even WebSockets for that matter) are not vulnerable at all! The problem mostly lies in some implementation.
We are humans. Humans err, that's why they are humans. Since humans err, their products are bound to be flawed. Since the products are flawed, there will be people who find (and exploit) the flaws. But the amazing thing is, that humans further strive for perfection, so flaws become more complicated and people will need more and more knowledge to understand what the hell is going on. That's why people will make errors, which might be known to others already, just because they lack the necessary expertise which humans gathered over decades as a collective.
In the end, all we can do is specialize even more, so that we know exactly what we are doing and only making mistakes which are not yet known to others. Then we can hope that it will take quite a while for others to find the errors; or we will find them ourselves, and fix them in a complicated way which further offsets the moment at which an attack vector is found.