Those who rely on smooth, interactive Web applications like Google
Maps and Outlook Web Access may not realise it, but the
behind-the-scenes glue holding them together is a combination of
programming languages that have come to be known as Asynchronous
JavaScript and XML, or Ajax.
Unfortunately, attackers have realised that Ajax-based
applications are easily exploitable, paving the way for plenty of
damage and financial gain.
The threat will only get worse and make life more difficult for
IT security professionals, Billy Hoffman, lead research engineer
with Atlanta-based SPI Dynamics, warned last week during a
presentation at Black Hat USA 2006. Companies are in a big hurry to
add Ajax-based programs to their Web sites to increase
functionality, which he said in turn leads to the development of
Web applications that are haphazardly thrown together by
inexperienced programmers.
"The buzz around Ajax is creating immense security implications,
as the available knowledge bases and types of resources available
for developers are poor," Hoffman said. "We are seeing bad design
choices."
As more Web applications are based on Ajax, more vulnerabilities
are surfacing, Hoffman said. He noted that:
- 70% of attacks occur via the application layer, according to
research firm Gartner Inc.
- A majority of posts on mailing lists are Web
vulnerabilities
- Input validation is easy on traditional applications.
 | | | | | We know we have to balance the
need to have Ajax with the security risks, and we're working to
make sure everyone [in the organisation] knows the risks.
Andrew van der Stock
Web application specialistNational Australia
Bank |
| | | | | |
| |
|
Meanwhile, he said, Ajax applications offer attackers a larger
attack surface to work with than traditional applications. Making
matters worse, Web developers are doing a poor job of validating
user input.
"Hackers take the path of least resistance, and Web applications
are the path of least resistance," Hoffman said. By attacking
Ajax-based applications, he added, attackers can steal cookies,
hijack browser sessions, leak sensitive information, log keystrokes
and make malicious server requests.
Examples of the threat includeJS.Yamanner, a JavaScript worm
that spread through a Yahoo Mail flaw in June, and exploits that
targeted the Windows Meta File (WMF) glitch Microsoft patched in
January.
To stem the tide, he said, enterprises must carefully consider
how they're deploying Ajax-based applications. Businesses need to
consider what is to be gained from added functionality and whether
it's really necessary in the short term. Those who feel it is need
to make sure their developers have enough experience and are
factoring security into the development process.
Andrew van der Stock, a Web application specialist with the
National Australia Bank, said his organisation is working toward
eventually having Ajax-based Web applications, perhaps within the
next six to 12 months.
"In the banking environment, there's a lot of pressure to use
Ajax because the business side has concluded that it's [about] what
the customer wants," he said. His organisation though is heeding
Hoffman's advice and proceeding with caution.
"We know we have to balance the need to have Ajax with the
security risks, and we're working to make sure everyone [in the
organisation] knows the risks," he said. "We're working to ensure
every field is validated correctly, and we're constantly looking
for more know-how because we want to do this right. That's why I'm
here."
This article originally appeared on
SearchSecurity.com.