Manage Learn to apply best practices and optimize your operations.

Do any freeware tools scan for Ajax vulnerabilities?

Securing Ajax applications is a new challenge for anyone developing Web services. In our expert Q&A, Michael Cobb reviews tools that can assess the vulnerabilities of Ajax Web applications.

We develop Java- and Ajax-based Web products for our service. Is there any free tool available that can scan code for Ajax vulnerabilities?
Securing Ajax applications is a new challenge for anyone involved in developing or managing Web services. JavaScript's XMLHttpRequest object, the heart of most Ajax applications, enables Web pages to connect to Web servers independently of the user and pull in cross-domain content. This function creates serious security issues when combined with other loosely coupled software services within a service-oriented architecture (SOA). Although Ajax generally doesn't create new vulnerabilities, it does expose many of the existing ones, particularly since Ajax applications are so complex. This makes it difficult to test the many possible permutations of user and service interactions. You're quite right in wanting to scan your code, but as yet, there isn't really a comprehensive automated Ajax application security assessment tool.

The Open Web Application Security Project (OWASP) recently made Sprajax available for free download. It is an open source security scanner developed specifically to scan Ajax Web applications for potential security vulnerabilities. I have no doubt that this will become a great tool, but at present I wouldn't call it comprehensive. You can download Sprajax at the site. AT OWASP you will also find advice on developing secure Ajax applications and you can sign up to receive a complementary security scan from Acunetix Ltd.

On the other hand, if your budget allows for an Ajax vulnerability-assessment tool, you may consider Cenzic Inc.'s updated Hailstorm product. The newly updated tool can now scan Ajax-enabled applications. Although not every XML- and SOA-specific vulnerability is covered, Hailstorm can use an internal browser to detect errors based on actual responses received from the application, which is much better than relying on signature-based scans. The product can also perform session-based assessments of vulnerabilities like session hijacking, a tactic that signature-based scans cannot detect. SPI Dynamics Inc.'s WebInspect is another scanner worth reviewing. One of its many tests checks for authentication and authorization of dynamic links to scripts on the server.

Finally, when you develop your Ajax applications, try to keep them as uncomplicated as possible. Reducing and simplifying any Ajax call will make it easier to evaluate the possible types of requests that a page or application generates. Also, make sure to document and explain how the application communicates with the server and how it handles responses. This will make it easier to evaluate whether there is a possible security flaw in the code. The key coding discipline of never trusting data from the client still applies. Any security controls should be implemented on the server and never be under the control of the user.

More information:

  • Prevent Ajax threats in five easy steps.
  • Review these secure coding dos and don'ts .
  • This was last published in December 2006

    Dig Deeper on Web application and API security best practices

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.