Researchers expose Ajax programming dangers

Two security engineers from SPI Dynamics comb resources on the Net to build an Ajax application from scratch; the final product is rife with problems.

This Content Component encountered an error

Has your organization gone ape for Ajax-enabled Web applications? If so, then you might want to encourage your developers to check out an exercise conducted by SPI Dynamics researchers Billy Hoffman and Bryan Sullivan.

AJAX makes it a lot easier to shoot yourself in the foot.
Billy Hoffman,
security researcherSPI Dynamics

Normally, researchers try to think about security from the hacker's point of view. Hoffman and Sullivan decided to take the opposite tack and learn about Ajax insecurity by standing in the developer's shoes. The two cobbled together an Ajax application strictly using code snippets found on the Web, along with advice from forums and other resources on the Internet--a generally accepted practice used by developers, Hoffman and Sullivan said.

"This is not C++. Developers are going to coworkers, blogs and forums for tips and information, and those places are as clueless as they are about Ajax," said Sullivan, senior research engineer at SPI Dynamics.

The application called Hacker Vacation is a takeoff on a travel Web site, and Sullivan bluntly said the finished product is "riddled with security defects."

Billy Hoffman
Billy Hoffman

"Developers are using knowledge from supposedly authoritative sources, but there's a lot of bad advice out there," he said. "A lot of Ajax applications are horrendously insecure applications."

Ajax stands for Asynchronous JavaScript and XML; the programming technique is standards-based, making it applicable on many platforms; it's at the underbelly of many of today's cutting-edge interactive Web sites. Applications, like Google Maps for example, can reload without the need for a page refresh, making sites more responsive and dynamic. Like anything that's cool and new in IT, security generally gives way to functionality, especially in corporate development. Ajax is no exception.

Hoffman, SPI Dynamics' lead researcher, and Sullivan will demonstrate the Hacker Vacation application next week at the Black Hat Briefings in Las Vegas, and attendees can expect to see a typical case study of the security concerns around Ajax, and how easily sensitive data can leak from these applications, how denial-of-service conditions can occur and how some of common programming snafus apply here as well.

Ajax dangers:
MySpace, YouTube successes open door to Web 2.0 dangers: Web 2.0, and Ajax in particular, are introducing new threats to life on the Web. Many people are rushing to add interactive features to their Web applications using Ajax, but that's opening the door to new threats.

Hackers broaden reach of cross-site scripting attacks: An explosion of AJAX-based applications has increased the damage that cross-site scripting (XSS) attacks can inflict on machines. A new tool uses XSS flaws to create a botnet.

Do any freeware tools scan for Ajax vulnerabilities? Securing Ajax applications is a new challenge for anyone developing Web services. In our expert Q&A, Michael Cobb reviews tools that can assess the vulnerabilities of Ajax Web applications.

"It's dangerous to think about where developers are getting their advice," Hoffman said. "You go on a forum to figure out how to build a cross-domain proxy on a server to build mash-ups. You find code snippets and you're so ready to trust them. But you never ask: 'Who are these users? How long have they been programming Ajax? And, what do they know about security?' Even those who know better, still make mistakes."

Hoffman said it's simple for a developer trying their hand at building an Ajax app to inadvertently leak password information, or worse, credit card or other sensitive data from an ecommerce application, for example.

"Ajax makes it a lot easier to shoot yourself in the foot," Hoffman explained. With a good chunk of the application running in JavaScript on the client via a Web browser, it's a lot easier to leak confidential information to the client, unlike traditional applications. "Ajax allows JavaScript to take a meaningful role in an application," Hoffman said.

Sullivan adds that while Ajax is a great advance in Web development, it is more difficult to secure because it's got a larger attack surface, it's more transparent and complex than a traditional application.

"Security people need to take a look at this space and publish advice for developers," Sullivan says. "Developers don't speak the same language as pen-testers for example. Any time you have something as sexy as Ajax, you want to go ahead and adopt it quickly and take advantage of what it offers. Unfortunately, security is lagging when that happens."

Dig deeper on Web Application Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close