The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

AJAX - Potential for misuse?

I've been hearing a lot about AJAX lately, but as I am primarily responsible for developing server-side code in C++, I don't normally get involved with web stuff.

After learning about it, though, and hearing some of the uses it is being put to, I can't help but wonder if AJAX doesn't have the potential to be an incredible waste of bandwidth as well as cluttering application designs.

It feels like something that is going to be abused and overused.  For example, I can see how many round trips to the server to do trivial things could result in poor appication performance due to latency.

I felt this way about XML, and I think was partially right-- people are using XML in places that they shouldn't be-- and I'm just a skeptic at heart as well about any new buzzword/magic bullet technologies.

Does anyone have any comments on this one way or the other?
Tom Dial Send private email
Sunday, June 18, 2006
 
 
- And why make more roundtrips to the server?
This is about how to make them once it's clear they have to be done.
At that point, they actually save bandwidth, since there's (much) less data involved, as opposite to reloading the whole friggin page from the server.
Ajax does not automatically mean more server roundtrips, it refers only to how they are made.
mikael bergkvist Send private email
Sunday, June 18, 2006
 
 
It really depends on your application. Of course it is easy to use AJAX to flood the httpd log, but this should not be the main purpose ;-)

One of the most well known examples is google suggest,
which let you think it will create loads of bandwith because of every keystroke creating a server request, but on the otherhand, the user can "navigate" whilst he is typing and does not need to try dozends of search terms.

And usually AJAX is used to submit and replace parts of the webpage, so it will actually reduce the bandwidth used.

My personal main concern is the fact, that the applications BEHIND an "web app" is that it opens a lot of script power on the server to malformed requests, opening more SQL injection/server hacking than before since the "attacker" knows there is intelligence.

AJAX, chosen wisely (not neccessarily rarely) brings much to "web apps".

Husker
Husker Send private email
Sunday, June 18, 2006
 
 
>> And why make more roundtrips to the server?
>> This is about how to make them once it's clear they
>> have to be done.
>> At that point, they actually save bandwidth, since
>> there's (much) less data involved, as opposite to
>> reloading the whole friggin page from the server.
>> Ajax does not automatically mean more server
>> roundtrips, it refers only to how they are made.

I realize that used appropriately, it could make things more efficient; the point my post was to ask other people how likely it was to be abused in such a way that it would _not_.
Tom Dial Send private email
Sunday, June 18, 2006
 
 
Husker,

I think that the potential for abuse of AJAX/Web 2.0 apps is tremendous. Just look a the continuous stream of security problems from PHP applications. The server side of an AJAX application needs to take a very serious look at sanatizing the requests that it receives.

.cp
coderpunk Send private email
Sunday, June 18, 2006
 
 
>> I realize that used appropriately, it could make things more efficient; the point my post was to ask other people how likely it was to be abused in such a way that it would _not_. <<

Not a fair question -- it's like asking "What if I add an internal combustion engine to a wagon -- what are the chances that it'll be misused?"

Chances are very good that it'll be misused if the people using it don't know what they're doing.  And only you know the quality of the people at your workplace.
example
Sunday, June 18, 2006
 
 
.cp,

I totally agree with you.

That is definitely my main issue with AJAX stuff. I've done some things to get used to the techniques but even
when trying not to open any holes, the sanitising is
unbelievable complex due all the different techniques, layers and stuff involved. As soon you are using a library/script etc. from someone else to save time you are lost. I ended up programming a lot of things myself and at least review any code from others.

Real world example: the paypal cross site script attack last week. And I guess paypal has not hired newbie programmers. Actually not an AJAX flaw, but it shows the size things can grow.

The pitfalls are endless..

best
Husker
Husker Send private email
Monday, June 19, 2006
 
 
"Actually not an AJAX flaw.."

Umm..?
Ajax in itself is not posing any danger to anything, it's dead simple for crying out loud, the morons from 'dumb and dumber' could write apps using it, and the potential of misuse is about zero point zero, and if your primary example is something not ajax, then why the hell bring it up?
And another thing, why do all these pro developers, who are *real men*, real hardcore coders, have such problems using a stupid toy language like javascript?
It seems to be a near-impossible task to create a reasonable safe app with even a minimum of functionality, without an amazing amount of whining about it..
What's up with that?
mikael bergkvist Send private email
Monday, June 19, 2006
 
 
Every new process or discovery needs some to mature. The first Automobile was slow and one can walk faster. Also roads were poor, so it cannot go many places.

The first GUI was also very hard to program. There were no GUI components, and need to use primitive graphic-calls to build even push-button. Over the time they got improved.

Likewise, Ajax also needs good set of reusable GUI Widgets (higher level reusable building blocks), which can hide low-level stuff. Also find effective methods to streamline the asynchronous server-client communications.
http://www.cbsdf.com/technologies/DHTML-Widgets/Widget-samples.htm

The Ajax just started and today developers are writing primitive code. But it will change.

There are many excellent technologies being invented by many other companies to build high-level reusable building blocks, which can asynchronously talk to server:
http://www.cbsdf.com/misc_docs/gui-api-brief.htm

This is just one example and I know of other companies working on these type technologies, but not openly discussing their technology at this time. Their statements promising even better solutions, but no specifics of how they will do it.
Jay Send private email
Monday, June 19, 2006
 
 
Is Cbsdf.com back with a new Ajax FRAUD ???

I am unable to understand what Raju and cbsdf guys  are trying this time.But few years back these frauded (rigged) the XML-J 2002 awards and stole it from OpenOffice, ( Cocoon and Batik as well).

Back then the company name was Elansoft and product was Agileblox

http://marc.theaimsgroup.com/?l=xml-cocoon-users&m=104875540622555&w=2

The below is an old google cached page
http://66.102.7.104/search?q=cache:fdWESVpaqC8J:weblog.halogenlabs.com/%3Fp%3D86+Elansoft+cocoon&hl=en&gl=in&ct=clnk&cd=1&client=firefox-a

A complaint was lodged with FBI and  Elansoft closed US office and ran from the law.

http://forum.java.sun.com/thread.jspa?forumID=45&threadID=182966

http://www.zdnetasia.com/builder/program/dev/talkback.htm?PROCESS=show&ID=20024225&AT=39062710-39000408_39000406_39000407_39000409_39000410_39000412_39000411_39000413_39000404_39000400_39000402_39000401_39000403_39000405c

I feel, since they escaped FBI last time so easily, they are trying to do it once again
anonymous Send private email
Tuesday, June 20, 2006
 
 
"Is Cbsdf.com back with a new Ajax FRAUD ???"

It really looks kinda suspicious..but the original question was about inheret flaws in the Ajax approach that may or may not jeapordize the security for users of such an app, and not about dishonest companies that happens to sport ajax apps as a front.
Fraudulent businesses has existed for any and all products/technologies known to man at one point or another.

That said, these guys sure look sleezy to me...
mikael bergkvist Send private email
Tuesday, June 20, 2006
 
 
@Mikael:

I was refering to the growing problem of interfaces on the server, using ressources on the server and the lack of knowledge of unexperienced programmers.

My point was that all that "AJAX" stuff itself is not the problem, more the server part of it. More services/power and API-Like stuff introduce more pitfalls and danger. It opens possible injections to it. And my example is exactly such a thing: injecting stuff to a server process so it renders that parts of an attacker.

About javascript: Well, which other language is available in "browsers"? Personally, I would prefer a _real_ app but I also use my own little framework I hacked before a while (and yes, it includes some AJAX stuff even it wasn't called like that at the time I wrote it).

I still use it when it comes to "I want to access it everywhere, also on my Mac or something" jobs.

cheers
Husker
Husker Send private email
Wednesday, June 21, 2006
 
 
I see ajax as a way to get the people with javascript switched off (avoiding adverts) to turn it back on...

its like anything, it should only be used where there is a benefit to doing so, not as a gimick. but it will be used more as a gimick I'll bet.

javascript generally off here, controlled via 'noscript' in firefox, tied to 'adblock'. if its irritating i can block it, or simply never go back.

ajax is like everything else on line, it will be abused by various low lifes. way of the world unfortunatly.
Claire Rand
Sunday, June 25, 2006
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz