Ajax security concerns you need to be aware of

As developers implement Ajax and Web 2.0 applications, they need to understand security issues such as cross-site scripting (XSS), cross-site request forgery (CSRF) and JavaScript hijacking.

The advent in the last two years of Ajax interfaces with improved interactivity has caused many commercial Web site owners to rebuild or refit their Web commerce sites. The move to Ajax and so-called Web 2.0 applications should also lead to a fresh consideration of Web application security.

People have known about JavaScript hijacking for along time, but they have only started to become worried about it recently.
Joe Walker
Getahead IT

To ensure secure Web applications in such circumstances, developers should obtain a thorough understanding of cross-site request forgery (CSRF), JavaScript hijacking and cross-site scripting (XSS), among a host of other security issues, said Joe Walker, the lead at the Getahead IT consultancy and creator of DWR (Direct Web Remoting).

Many problems to watch for are not intrinsic to Ajax, Walker noted. They just happen to have become more vividly prevalent in the Ajax era. As time goes on, and developers try to do more with the Web interface, the need to filter input correctly has gone up. Wherever there is more interaction with people, there is more possibility for them to slip something bad in, he said.

Some steps to take
A first step is to "make sure all your URLs are protected properly," said Walker. "It's an obvious thing to watch out for, but people get it wrong if only because it is pretty tedious to get right."

XSS can be a hard problem, said Walker. You are at risk of an XSS attack if you allow scripts from an untrustworthy party into your Web pages. And writing a good filter to guard against these attacks is difficult.

Completely restricting user ability to enter HTML tags would be a partial solution. However, more rich interaction is a mark of so-called Web 2.0 applications. For example, comments by viewers are often allowed in blogs, and these dialog windows often allow use of HTML tags. Because these can be dangerous, clever filters must be built to handle such input. Among other steps, Walker recommends taking special care over attributes and regular expressions when building XSS filters.

JavaScript hijacking
JavaScript hijacking attacks rely on the fact that <script> tags can be used to get around Web browser Same Origin policies. Ajax applications that use JavaScript as a data transport mechanism can cause vulnerabilities.

"People have known about JavaScript hijacking for along time, but they have only started to become worried about it recently," Walker said. "The essence of the issue is that JavaScript is a very dynamic language. It will allow you to redefine pretty much everything. If you have the ability to manipulate the environment before some data structure is interpreted, you can have ways to steal information out, basically."

Walker pointed out that there are at least a couple of ways to protect applications from JavaScript hijacking.

More information on Ajax and Web 2.0 security
Research identifies five key threats to Web 2.0

Application security takes on greater importance in Web 2.0

Ajax Security -- Chapter 6, Transparency in Ajax Applications

"JavaScript hijacking relies on cross-site request forgery in some ways," said Walker. "If you are completely safe against [CSRF], then you are completely safe against JavaScript hijacking. The other thing is if you work with JSON and follow the JSON spec correctly using curly brackets at the outside, then you are safe for other reasons."

Stressed browsers
Walker indicated that as Ajax has evolved, it has further stressed the security limits of browsers, but those limits were there already.

"As we have done more with Ajax, we've understood browsers better. And as a result of understanding browsers a lot better, we have discovered things that they don't do particularly well," he said.

All of these security concerns have come "out of the woodwork" in the Ajax environment, Walker said, but they already existed before.

Note: Joe Walker maintains a Web blog that is replete with useful Ajax security information. A good place to start is his tagged "Security" page.

Dig deeper on Software Security Test Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close