|
Ajax, Java and other dynamic application coding methods have pulled computing power over to the client, introducing new risks and resurrecting old ones.
The world of Web application development has recently been re-energized through the advent of Ajax technologies. Through these techniques, Web sites can appear to be more dynamic and interactive, giving the user the experience of a desktop application but with the ease of deployment and maintenance that comes with a server-based application. Enterprises have embraced this combination as a way to minimize deployment costs while maximizing user satisfaction.
Yet these technologies and techniques carry a security risk. The difference between traditional Web applications and newer Web 2.0 Ajax applications is the amount of logic, data and processing that occurs on the client side. No longer are users merely dealing with HTML and Flash, but with complex programmatic logic in the form of JavaScript and sometimes massive amounts of structured data in the form of XML or JavaScript Object Notation (JSON). This carries a twofold problem: the exposure of business logic to the end user; and the possible creation of new threat vectors against the application. Enterprises need to understand the nature of these applications, and whether the threats associated with Ajax are a new breed or simply another way to look at the same old problems of distributed Web application security.
GETTING CLOSER TO AJAX
Ajax is a catchall description for a collection of development practices and technologies that have existed for some time. At its heart, it is the ability of a browser to send asynchronous requests to a server, and to respond to them through custom JavaScript code instead of simply rendering the response to the screen. There are other ancillary technologies included in these abstract terms: visual effects, interactive components such as rich-text editors, data serialization and more. However, these are largely subordinate to the primary goal: allow a browser to act like an asynchronous client and bypass the browser's default behavior for rendering responses.
Ajax apps are not Web services, RESTful or otherwise, that are designed for consumption by other software. Web-based apps are functionally designed to be experienced via a browser. Securing browser-based applications requires securing the user--who wants to protect his private data--and the application, which wants to secure user data and its code. In the context of an Ajax app, it's essential to prevent private data from leaking from the client to the server, and that an application user's data does not leak from the server to a client. Also, sensitive information from the server should not be passed to any clients.
|
