CodingMicrosoft Technology Presentation

  

Press Ctrl+Enter to quickly submit your post
Quick Reply  
 
 
  
 From:  Rich   29 Jun 2007 00:33 
 To:  ALL 1 of 11 
32731.1 
Here's some site pimpage for you... Today, three architects from 'the big M' turned up at work today and gave a stunning, enthralling five hour presentation (10am - 3pm) on their next generation of developer software and a peek into the world of some of their new technologies.

Read more at http://www.lostjohnnies.com/roadtest.php?id=7
Rich - e - w - m
0/0
 Reply   Quote More 

 From:  Peter (BOUGHTONP)   29 Jun 2007 00:49 
 To:  Rich      2 of 11 
32731.2 In reply to 32731.1 
quote:
AJAX is Microsoft's way of making Web 2.0 easier to achieve.

Uhh???? That's really misleading. Microsoft created the XmlHttpRequest function (long before AJAX/Web2.0), but they didn't invent the technique nor the term.


quote:
how JSON can be used as a lighter-weight alternative to SOAP, it all looks good, but I (and a few others) had our doubts about JS being used like that - what about injection attacks?

No more risk from injection attacks using JSON vs SOAP - any client input can result in injection attacks if it isn't properly validated.
0/0
 Reply   Quote More 

 From:  Rich   29 Jun 2007 08:29 
 To:  Peter (BOUGHTONP)      3 of 11 
32731.3 In reply to 32731.2 
quote: Peter Boughton
Uhh???? That's really misleading. Microsoft created the XmlHttpRequest function (long before AJAX/Web2.0), but they didn't invent the technique nor the term.


That's true, but my comment isn't misleading at all. AJAX provides developers with the WYSISYG components to make use of XMLHttp to updates small regions of your pages, whereas previously you'd have to script that bit yourself and chances are, without AJAX and a mountain of client-side scripting, you'd still get a complete postback.


quote: Peter Boughton
No more risk from injection attacks using JSON vs SOAP - any client input can result in injection attacks if it isn't properly validated.


Completely agree again, although JSON transparently requires the download of a cacheable JS script file whereas SOAP is/can be streamed each time the page is loaded. Any system that requires files to be actually sotred on your PC is going to be more of a security risk than streamed data because it means if they injection-attack your JS download, then you're exploited with every load of the page (and thus the JS), whereas to exploit you every time with injection into a SOAP stream, hackers would have to sit on a connection injecting their malfeasance every request.
Rich - e - w - m
0/0
 Reply   Quote More 

 From:  THERE IS NO GOD BUT (RENDLE)   29 Jun 2007 10:00 
 To:  Rich      4 of 11 
32731.4 In reply to 32731.3 
I think the issue is that you're confusing "ASP.NET AJAX", which is a toolkit and set of controls and what-have-you, with "AJAX", which is a pattern or meta-technology or something and can be implemented in lots of different ways.

Isn't the new stuff awesome, though?

0/0
 Reply   Quote More 

 From:  THERE IS NO GOD BUT (RENDLE)   29 Jun 2007 10:08 
 To:  Rich      5 of 11 
32731.5 In reply to 32731.3 
Oh, and about LINQ: I don't know if they mentioned it, but it automatically multi-threads the operations it encapsulates: it can filter on one thread, sort on another and aggregate on a third, so your app can actually use all those cores we're getting without having to fuck about in the System.Threading namespace and worry about locks and race conditions. Not that that's not fun, of course.

0/0
 Reply   Quote More 

 From:  Peter (BOUGHTONP)   29 Jun 2007 14:52 
 To:  Rich      6 of 11 
32731.6 In reply to 32731.3 
quote:
although JSON transparently requires the download of a cacheable JS script file whereas SOAP is/can be streamed each time the page is loaded.

If SOAP is streamed on the server-side at pageload, that's not asynchronous - it's not "Web2.0" - so you're not comparing like-for-like.

For proper interactive asynchronous stuff, JSON and SOAP both require a client-side script to initiate the request and handle the result, and that's all they require. The whole point of this stuff is to move everything that isn't display logic or data away from the client side, so anyone doing more than that on the client is missing the point.

0/0
 Reply   Quote More 

 From:  THERE IS NO GOD BUT (RENDLE)   29 Jun 2007 15:37 
 To:  Peter (BOUGHTONP)      7 of 11 
32731.7 In reply to 32731.2 

There are vulnerability issues with JSON if the client-side script uses eval to recreate the JS object instead of a dedicated JSON parser.

 

Also, I don't think JSON does require any kind of file-caching, does it? I thought it was just a string?
0/0
 Reply   Quote More 

 From:  Peter (BOUGHTONP)   29 Jun 2007 15:51 
 To:  THERE IS NO GOD BUT (RENDLE)      8 of 11 
32731.8 In reply to 32731.7 
Yeah, it is just a string.

Unless I'm missing something, anything that can be done with eval can be done with any decent JS debugger (eg: Firebug) - but it's a client-side change until the request gets sent back. So long as the server immediately validates/escapes ALL user input (which should be the default behaviour for everything, not just AJAX/JSON/etc), there shouldn't be any issues.

0/0
 Reply   Quote More 

 From:  THERE IS NO GOD BUT (RENDLE)   29 Jun 2007 16:27 
 To:  Peter (BOUGHTONP)      9 of 11 
32731.9 In reply to 32731.8 

The JSON exploits are more to do with executing malicious code on the client than the server. If you have an AJAX-enabled community-content web app which uses JSON to transport data, and you can discover the object notation, you can replace chunks of it with executable Javascript which will then get eval'd on the client and could do all sorts of nasty stuff.

 

Again, making sure the stuff is properly escaped on the server before sending it prevents this kind of thing, but XML/SOAP fans would argue that it's better if the vulnerability doesn't exist at all.
0/0
 Reply   Quote More 

 From:  Rich   30 Jun 2007 00:55 
 To:  Peter (BOUGHTONP)      10 of 11 
32731.10 In reply to 32731.8 

Rendle's doing a better job of explaining this than I am.

 

Mr Rendle: Yes, the new stuff does look awesome. I'm officially converted from Microsoft hater to Microsoft lover. It's that good.

Rich - e - w - m
0/0
 Reply   Quote More 

 From:  Izziwizzi (JAMES)   2 Jul 2007 06:07 
 To:  ALL 11 of 11 
32731.11 In reply to 32731.10 
You all need to get out more. Go de-tune some pianos or something.

0/0
 Reply   Quote More 

Reply to All    
 

1–11

Rate my interest:

Adjust text size : Smaller 10 Larger

Beehive Forum 1.5.2 |  FAQ |  Docs |  Support |  Donate! ©2002 - 2024 Project Beehive Forum

Forum Stats