Ajax security issues concern researchers

Bill Brenner

LAS VEGAS -- Those who rely on smooth, interactive Web applications like Google Maps and Outlook Web Access may not realize it, but the behind-the-scenes glue holding them together is a combination of programming languages that have come to be known as Asynchronous JavaScript and XML, or Ajax.

Unfortunately, attackers have realized that Ajax-based applications are easily exploitable, paving the way for plenty of damage and financial gain.

The threat will only get worse and make life more difficult for IT security professionals, Billy Hoffman, lead research engineer with Atlanta-based SPI Dynamics Inc., warned last week during a presentation at Black Hat USA 2006. Companies are in a big hurry to add Ajax-based programs to their Web sites to increase functionality, which he said in turn leads to the development of Web applications that are haphazardly thrown together by inexperienced programmers.

"The buzz around Ajax is creating immense security implications, as the available knowledge bases and types of resources available for developers are poor," Hoffman said. "We are seeing bad design choices."

As more Web applications are based on Ajax, more vulnerabilities are surfacing, Hoffman said. He noted that:

  • 70% of attacks occur via the application layer, according to Stamford, Conn.-based research firm Gartner Inc.
  • A majority of posts on mailing lists are Web vulnerabilities
  • Input
  • Requires Free Membership to View

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: