I've been hearing a lot about AJAX lately, but as I am primarily responsible for developing server-side code in C++, I don't normally get involved with web stuff.
After learning about it, though, and hearing some of the uses it is being put to, I can't help but wonder if AJAX doesn't have the potential to be an incredible waste of bandwidth as well as cluttering application designs.
It feels like something that is going to be abused and overused. For example, I can see how many round trips to the server to do trivial things could result in poor appication performance due to latency.
I felt this way about XML, and I think was partially right-- people are using XML in places that they shouldn't be-- and I'm just a skeptic at heart as well about any new buzzword/magic bullet technologies.
Does anyone have any comments on this one way or the other?
- And why make more roundtrips to the server?
This is about how to make them once it's clear they have to be done.
At that point, they actually save bandwidth, since there's (much) less data involved, as opposite to reloading the whole friggin page from the server.
Ajax does not automatically mean more server roundtrips, it refers only to how they are made.
Sunday, June 18, 2006
It really depends on your application. Of course it is easy to use AJAX to flood the httpd log, but this should not be the main purpose ;-)
One of the most well known examples is google suggest,
which let you think it will create loads of bandwith because of every keystroke creating a server request, but on the otherhand, the user can "navigate" whilst he is typing and does not need to try dozends of search terms.
And usually AJAX is used to submit and replace parts of the webpage, so it will actually reduce the bandwidth used.
My personal main concern is the fact, that the applications BEHIND an "web app" is that it opens a lot of script power on the server to malformed requests, opening more SQL injection/server hacking than before since the "attacker" knows there is intelligence.
AJAX, chosen wisely (not neccessarily rarely) brings much to "web apps".
>> And why make more roundtrips to the server?
>> This is about how to make them once it's clear they
>> have to be done.
>> At that point, they actually save bandwidth, since
>> there's (much) less data involved, as opposite to
>> reloading the whole friggin page from the server.
>> Ajax does not automatically mean more server
>> roundtrips, it refers only to how they are made.
I realize that used appropriately, it could make things more efficient; the point my post was to ask other people how likely it was to be abused in such a way that it would _not_.
I think that the potential for abuse of AJAX/Web 2.0 apps is tremendous. Just look a the continuous stream of security problems from PHP applications. The server side of an AJAX application needs to take a very serious look at sanatizing the requests that it receives.
>> I realize that used appropriately, it could make things more efficient; the point my post was to ask other people how likely it was to be abused in such a way that it would _not_. <<
Not a fair question -- it's like asking "What if I add an internal combustion engine to a wagon -- what are the chances that it'll be misused?"
Chances are very good that it'll be misused if the people using it don't know what they're doing. And only you know the quality of the people at your workplace.
Sunday, June 18, 2006
I totally agree with you.
That is definitely my main issue with AJAX stuff. I've done some things to get used to the techniques but even
when trying not to open any holes, the sanitising is
unbelievable complex due all the different techniques, layers and stuff involved. As soon you are using a library/script etc. from someone else to save time you are lost. I ended up programming a lot of things myself and at least review any code from others.
Real world example: the paypal cross site script attack last week. And I guess paypal has not hired newbie programmers. Actually not an AJAX flaw, but it shows the size things can grow.
The pitfalls are endless..
"Actually not an AJAX flaw.."
Ajax in itself is not posing any danger to anything, it's dead simple for crying out loud, the morons from 'dumb and dumber' could write apps using it, and the potential of misuse is about zero point zero, and if your primary example is something not ajax, then why the hell bring it up?
It seems to be a near-impossible task to create a reasonable safe app with even a minimum of functionality, without an amazing amount of whining about it..
What's up with that?
Monday, June 19, 2006
Every new process or discovery needs some to mature. The first Automobile was slow and one can walk faster. Also roads were poor, so it cannot go many places.
The first GUI was also very hard to program. There were no GUI components, and need to use primitive graphic-calls to build even push-button. Over the time they got improved.
Likewise, Ajax also needs good set of reusable GUI Widgets (higher level reusable building blocks), which can hide low-level stuff. Also find effective methods to streamline the asynchronous server-client communications.
The Ajax just started and today developers are writing primitive code. But it will change.
There are many excellent technologies being invented by many other companies to build high-level reusable building blocks, which can asynchronously talk to server:
This is just one example and I know of other companies working on these type technologies, but not openly discussing their technology at this time. Their statements promising even better solutions, but no specifics of how they will do it.
Is Cbsdf.com back with a new Ajax FRAUD ???
I am unable to understand what Raju and cbsdf guys are trying this time.But few years back these frauded (rigged) the XML-J 2002 awards and stole it from OpenOffice, ( Cocoon and Batik as well).
Back then the company name was Elansoft and product was Agileblox
The below is an old google cached page
A complaint was lodged with FBI and Elansoft closed US office and ran from the law.
I feel, since they escaped FBI last time so easily, they are trying to do it once again
"Is Cbsdf.com back with a new Ajax FRAUD ???"
It really looks kinda suspicious..but the original question was about inheret flaws in the Ajax approach that may or may not jeapordize the security for users of such an app, and not about dishonest companies that happens to sport ajax apps as a front.
Fraudulent businesses has existed for any and all products/technologies known to man at one point or another.
That said, these guys sure look sleezy to me...
Tuesday, June 20, 2006
I was refering to the growing problem of interfaces on the server, using ressources on the server and the lack of knowledge of unexperienced programmers.
My point was that all that "AJAX" stuff itself is not the problem, more the server part of it. More services/power and API-Like stuff introduce more pitfalls and danger. It opens possible injections to it. And my example is exactly such a thing: injecting stuff to a server process so it renders that parts of an attacker.
I still use it when it comes to "I want to access it everywhere, also on my Mac or something" jobs.
its like anything, it should only be used where there is a benefit to doing so, not as a gimick. but it will be used more as a gimick I'll bet.
ajax is like everything else on line, it will be abused by various low lifes. way of the world unfortunatly.
Sunday, June 25, 2006
This topic is archived. No further replies will be accepted.Other recent topics
Powered by FogBugz