Has your organization gone ape for Ajax-enabled Web applications? If so, then you might want to encourage your...
developers to check out an exercise conducted by SPI Dynamics researchers Billy Hoffman and Bryan Sullivan.
Normally, researchers try to think about security from the hacker's point of view. Hoffman and Sullivan decided to take the opposite tack and learn about Ajax insecurity by standing in the developer's shoes. The two cobbled together an Ajax application strictly using code snippets found on the Web, along with advice from forums and other resources on the Internet--a generally accepted practice used by developers, Hoffman and Sullivan said.
"This is not C++. Developers are going to coworkers, blogs and forums for tips and information, and those places are as clueless as they are about Ajax," said Sullivan, senior research engineer at SPI Dynamics.
The application called Hacker Vacation is a takeoff on a travel Web site, and Sullivan bluntly said the finished product is "riddled with security defects."
"Developers are using knowledge from supposedly authoritative sources, but there's a lot of bad advice out there," he said. "A lot of Ajax applications are horrendously insecure applications."
Hoffman, SPI Dynamics' lead researcher, and Sullivan will demonstrate the Hacker Vacation application next week at the Black Hat Briefings in Las Vegas, and attendees can expect to see a typical case study of the security concerns around Ajax, and how easily sensitive data can leak from these applications, how denial-of-service conditions can occur and how some of common programming snafus apply here as well.
"It's dangerous to think about where developers are getting their advice," Hoffman said. "You go on a forum to figure out how to build a cross-domain proxy on a server to build mash-ups. You find code snippets and you're so ready to trust them. But you never ask: 'Who are these users? How long have they been programming Ajax? And, what do they know about security?' Even those who know better, still make mistakes."
Hoffman said it's simple for a developer trying their hand at building an Ajax app to inadvertently leak password information, or worse, credit card or other sensitive data from an ecommerce application, for example.
Sullivan adds that while Ajax is a great advance in Web development, it is more difficult to secure because it's got a larger attack surface, it's more transparent and complex than a traditional application.
"Security people need to take a look at this space and publish advice for developers," Sullivan says. "Developers don't speak the same language as pen-testers for example. Any time you have something as sexy as Ajax, you want to go ahead and adopt it quickly and take advantage of what it offers. Unfortunately, security is lagging when that happens."