How Ajax works
How hackers exploit Ajax
Web applications typically use the same origin policy, which constrains them to only connect to the server that delivered the base page. However, that does not apply to Ajax scripts, so malicious or compromised scripts could steal data stored in cookies or directly access the originating server. For example, an attacker could exploit cross-site scripting vulnerabilities covertly because the application can perform multiple requests in the background while the functionality remains normal to the user.
Preventing Ajax exploits
If you use Ajax within your Web application, its overall complexity will greatly increase, and each server side function will be an additional target for attackers. Here are five steps you can take to decrease these threats:
- The key coding discipline of never trusting the client still applies, so any security controls should be implemented on the server and never controlled by the user.
- Initially, keep the application straightforward. Reducing and simplifying any Ajax calls makes it easier to evaluate all possible types of requests that can be generated by a page or application during security testing.
- Document and explain how the application communicates with the server and handles the responses it receives. Cover such issues as SSL connections for sensitive information.
- Complete security testing prior to moving the application online, with special emphasis placed on checking for access control and input validation flaws.
- Visit the Web Application Security Project for help with developing secure Ajax applications.
Finally, if you are looking at automated application security assessment tools, make sure you select one that supports Web applications which use Ajax, such as Cenzic's Hailstorm and S.P.I. Dynamics' WebInspect.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
This was first published in September 2006