WEB SECURITY ADVISOR
Ajax security: How to prevent exploits in five steps
Michael Cobb
09.14.2006
Rating: -4.25- (out of 5)
|
Google's Gmail recently caught the attention of the Web developer community about the possibilities of Ajax (Asynchronous JavaScript and XML). Ajax is a set of technologies used together to extend browser functionality and allow users and applications to access, share and edit content. While this Web development technique is nothing new, it is viewed as part of Web 2.0, a second generation of Web services, which like all Internet-based services, brings with it its own security concerns. Let's look at how Ajax operates, how it can be exploited, and what you can do to prevent an attack.
How Ajax works
Ajax applications are mainly executed on a user's machine. They exchange small amounts of data behind the scenes with the server, so the entire Web page does not have to be reloaded. This adds functionality to a page and makes it seem more responsive, like Gmail's real-time spell check, for example. Ajax uses technologies like Cascading Style Sheets (CSS), Document Object Model (DOM) and Dynamic HTML (DHTML), but its main driver is Java Script's XMLHttpRequest object, which can be set to operate behind the scenes asynchronously and triggered by user keystrokes, a timer or other similar events. This means the JavaScript code on a Web page can connect to Web servers independently of the user and pull in cross-domain content.
How hackers exploit Ajax
Web applications typically use the same origin policy, which constrains them to only connect to the server that delivered the base page. However, that does not apply to Ajax scripts, so malicious or compromised scripts could steal data stored in cookies or directly access t
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
he originating server. For example, an attacker could exploit cross-site scripting vulnerabilities covertly because the application can perform multiple requests in the background while the functionality remains normal to the user.
Preventing Ajax exploits
If you use Ajax within your Web application, its overall complexity will greatly increase, and each server side function will be an additional target for attackers. Here are five steps you can take to decrease these threats:
Remember, because the security model of XMLHttpRequest is not viable in the long-term for Web 2.0 applications, it's important to stay abreast of emerging solutions that could resolve the cross-domain problem. For example, the JSON (JavaScript Object Notation) Request doesn't allow the exchange of cookies during the request, while Adobe's Flex ActionScript does allow server side control over which sites are allowed to cross-domain with it.
Finally, if you are looking at automated application security assessment tools, make sure you select one that supports Web applications which use Ajax, such as Cenzic's Hailstorm and S.P.I. Dynamics' WebInspect.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
