Black Hat 2007: More on the dangers of Ajax

Interview

Black Hat 2007: More on the dangers of Ajax

Bill Brenner, Senior News Writer
HP announced its acquisition of SPI Dynamics last month. What kind of changes do you expect in your corner of the operation?
HP very much wants to keep SPI intact. This isn't an acquire-and-strip-our-resources

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

type of thing. They understand we're the leader in Web application security. SPI Dynamics has over 1,000 customers right now and we talked at a third of all Web application talks at Black Hat last year, so we're clearly the leader and they know this. They don't want to kill the golden goose. So HP has openly expressed that it wants to hang on to SPI Dynamics' talent?
Oh, yes. We certainly have a large number of customers but it's not like they're buying us for our customer portfolio and ditching us. They realize the people, the research and intellectual property and the knowledge we have of Web application security is really what makes us valuable and they very much want to keep us intact. At last year's Black Hat conference you warned that Ajax-based applications are being adopted quickly without a lot of thought about security. Will that be a recurring theme for you this year as well?
Web application threats:
Ajax threats worry researchers: While it makes smooth Web applications like Google Maps possible, the rush to adopt Ajax may fuel haphazard development and a feeding frenzy among hackers.

Ajax security: How to prevent exploits in five steps - While Ajax can make your Web pages feel faster and more responsive, this Internet-based service, like many Web development tools, has its security concerns.

Hackers broaden reach of cross-site scripting attacks: An explosion of AJAX-based applications has increased the damage that cross-site scripting (XSS) attacks can inflict on machines. A new tool uses XSS flaws to create a botnet.
I'll be taking [the issue] to the next step. People are starting to realize there are issues with Ajax and I think developers kind of fall into some of these mistakes. I routinely browse around Ajax Web sites and forums and developers are still very much confused about which part of an Ajax app is running on the server and which part is running on the client. The danger is anything you put on the client an attacker can see in terms of secrets, data you may be caching temporarily, program application logic or flow -- all this information. You want to be very careful about what you're pushing to the client. We see things like Microsoft Silverlight, which is their version of Flash. It allows Web developers to build rich applications on both the client and server using the same language, in C-sharp or what have you. The problem is that this blurs the line even more as far as where code is running and who can see what. So our big presentation is called Premature Ajax-ulation, which I'm giving with my co-author, Bryan Sullivan. We're writing a book called "Ajax Security" (Due out Nov. 1) and we'll be giving away a chapter at Black Hat. Will a demo be part of the Premature Ajax-ulation presentation?
We're going to run through a sample travel Web site we built complete with rich Web services, a nice Ajax-y feel and we'll run through it and say hey, here's a Web site we built using the techniques and design patterns in these books and Web sites and here's why we just built one of the world's most insecure applications. Here are the problems, here's what we didn't know, here's what all those books that tell you how to program in Ajax aren't telling you and how it's leaving you open. You're also doing a presentation called "The Little Hybrid Web worm that could" …
We'll talk about Web worms, which we've seen on the rise over the last year with one affecting MySpace, one affecting Yahoo and some affecting Google. We've really seen these on the rise in the past year.