Ajax security issues concern researchers

Ajax makes smooth Web applications like Google Maps possible, but the rush to adopt the technology may lead to haphazard development and exploitation by hackers.

This Content Component encountered an error

LAS VEGAS -- Those who rely on smooth, interactive Web applications like Google Maps and Outlook Web Access may not realize it, but the behind-the-scenes glue holding them together is a combination of programming languages that have come to be known as Asynchronous JavaScript and XML, or Ajax.

Unfortunately, attackers have realized that Ajax-based applications are easily exploitable, paving the way for plenty of damage and financial gain.

The threat will only get worse and make life more difficult for IT security professionals, Billy Hoffman, lead research engineer with Atlanta-based SPI Dynamics Inc., warned last week during a presentation at Black Hat USA 2006. Companies are in a big hurry to add Ajax-based programs to their Web sites to increase functionality, which he said in turn leads to the development of Web applications that are haphazardly thrown together by inexperienced programmers.

"The buzz around Ajax is creating immense security implications, as the available knowledge bases and types of resources available for developers are poor," Hoffman said. "We are seeing bad design choices."

As more Web applications are based on Ajax, more vulnerabilities are surfacing, Hoffman said. He noted that:

  • 70% of attacks occur via the application layer, according to Stamford, Conn.-based research firm Gartner Inc.
  • A majority of posts on mailing lists are Web vulnerabilities
  • Input validation is easy on traditional applications.
    We know we have to balance the need to have Ajax with the security risks, and we're working to make sure everyone [in the organization] knows the risks.
    Andrew van der Stock
    Web application specialistNational Australia Bank

    Meanwhile, he said, Ajax applications offer attackers a larger attack surface to work with than traditional applications. Making matters worse, Web developers are doing a poor job of validating user input.

    "Hackers take the path of least resistance, and Web applications are the path of least resistance," Hoffman said. By attacking Ajax-based applications, he added, attackers can steal cookies, hijack browser sessions, leak sensitive information, log keystrokes and make malicious server requests.

    Examples of the threat includeJS.Yamanner, a JavaScript worm that spread through a Yahoo Mail flaw in June, and exploits that targeted the Windows Meta File (WMF) glitch Microsoft patched in January.

    To stem the tide, he said, enterprises must carefully consider how they're deploying Ajax-based applications. Businesses need to consider what is to be gained from added functionality and whether it's really necessary in the short term. Those who feel it is need to make sure their developers have enough experience and are factoring security into the development process.

    Andrew van der Stock, a Web application specialist with the National Australia Bank, said his organization is working toward eventually having Ajax-based Web applications, perhaps within the next six to 12 months.

    Ajax security articles

    New chapter and verse on Ajax security

    Helping Ajax developers stay ahead of the bad guys

    How to safely deploy Ajax

    "In the banking environment, there's a lot of pressure to use Ajax because the business side has concluded that it's [about] what the customer wants," he said. His organization though is heeding Hoffman's advice and proceeding with caution.

    "We know we have to balance the need to have Ajax with the security risks, and we're working to make sure everyone [in the organization] knows the risks," he said. "We're working to ensure every field is validated correctly, and we're constantly looking for more know-how because we want to do this right. That's why I'm here."

    This article originally appeared on SearchSecurity.com.

  • Dig deeper on Software Security Test Best Practices

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchSOA

    TheServerSide

    SearchCloudApplications

    SearchAWS

    SearchBusinessAnalytics

    SearchFinancialApplications

    SearchHealthIT

    Close