Black Hat 2007: More on the dangers of Ajax

One of the presenters at this year's Black Hat USA 2007 conference in Las Vegas is Billy Hoffman, a researcher with SPI Dynamics. Hoffman made headlines at last year's conference with a series of presentations on application security, particularly the threats against Web sites that rely on Asynchronous JavaScript and XML (Ajax). In this Q&A, Hoffman previews more application-based dangers he'll be discussing at the 2007 event, and talks about the future of SPI Dynamics as part of HP, which acquired the security firm in June.

HP announced its acquisition of SPI Dynamics last month. What kind of changes do you expect in your corner of the operation?
HP very much wants to keep SPI intact. This isn't an acquire-and-strip-our-resources type of thing. They understand we're the leader in Web application security. SPI Dynamics has over 1,000 customers right now and we talked at a third of all Web application talks at Black Hat last year, so we're clearly the leader and they know this. They don't want to kill the golden goose. So HP has openly expressed that it wants to hang on to SPI Dynamics' talent?
Oh, yes. We certainly have a large number of customers but it's not like they're buying us for our customer portfolio and ditching us. They realize the people, the research and intellectual property and the knowledge we have of Web application security is really what makes us valuable and they very much want to keep us intact. At last year's Black Hat conference you warned that Ajax-based applications are being adopted quickly without a lot of thought about security. Will that be a recurring theme for you this year as well?
Web application threats:
Ajax threats worry researchers: While it makes smooth Web applications like Google Maps possible, the rush to adopt Ajax may fuel haphazard development and a feeding frenzy among hackers.

Ajax security: How to prevent exploits in five steps - While Ajax can make your Web pages feel faster and more responsive, this Internet-based service, like many Web development tools, has its security concerns.

Hackers broaden reach of cross-site scripting attacks: An explosion of AJAX-based applications has increased the damage that cross-site scripting (XSS) attacks can inflict on machines. A new tool uses XSS flaws to create a botnet.
I'll be taking [the issue] to the next step. People are starting to realize there are issues with Ajax and I think developers kind of fall into some of these mistakes. I routinely browse around Ajax Web sites and forums and developers are still very much confused about which part of an Ajax app is running on the server and which part is running on the client. The danger is anything you put on the client an attacker can see in terms of secrets, data you may be caching temporarily, program application logic or flow -- all this information. You want to be very careful about what you're pushing to the client. We see things like Microsoft Silverlight, which is their version of Flash. It allows Web developers to build rich applications on both the client and server using the same language, in C-sharp or what have you. The problem is that this blurs the line even more as far as where code is running and who can see what. So our big presentation is called Premature Ajax-ulation, which I'm giving with my co-author, Bryan Sullivan. We're writing a book called "Ajax Security" (Due out Nov. 1) and we'll be giving away a chapter at Black Hat. Will a demo be part of the Premature Ajax-ulation presentation?
We're going to run through a sample travel Web site we built complete with rich Web services, a nice Ajax-y feel and we'll run through it and say hey, here's a Web site we built using the techniques and design patterns in these books and Web sites and here's why we just built one of the world's most insecure applications. Here are the problems, here's what we didn't know, here's what all those books that tell you how to program in Ajax aren't telling you and how it's leaving you open. You're also doing a presentation called "The Little Hybrid Web worm that could" …
We'll talk about Web worms, which we've seen on the rise over the last year with one affecting MySpace, one affecting Yahoo and some affecting Google. We've really seen these on the rise in the past year.

Dig deeper on Web Application Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close