Web 2.0 is a catch-all term covering second generation Web services
and has captured the imagination of the Web developer community.
 | | | | | Ajax is not that new and it
hasn't introduced new vulnerabilities, just variations of old ones.
The problem is that Ajax applications tend to be very
complex.
Mike Cobb,
managing directorCobweb
Applications |
| | | | | |
| |
|
Everyone is now rushing to add interactive features to their own
Web applications to try to recreate the successes of sites like
MySpace and YouTube. A key element of this new class of Web service
is Asynchronous JavaScript and XML (Ajax), a set of technologies
used together to extend browser functionality.
Ajax applications are mainly executed on the user's machine and
can connect to Web servers independently of the user, exchanging
data behind the scenes so that the entire Web page does not have to
be reloaded. This makes the application feel more responsive, such
as Gmail's real-time spell checking. This relatively seamless
exchange of data between an application server and a browser allows
users to access, share, and edit online content in similar fashion
to traditional desktop applications.
But in the rush to add interactive features, security has often
been overlooked. Several high profile attacks have exploited
weaknesses in sites using Web 2.0 technologies. The Yamanner worm
hit Yahoo mail users, exploiting JavaScript and Ajax code to
collect email addresses, while the Samy and Spaceflash worms spread
among MySpace users changing buddy lists and profile information.
Such attacks have heightened concerns that Web 2.0, and Ajax in
particular, are introducing new threats to life on the Web.
Ajax is not that new and it hasn't introduced new
vulnerabilities, just variations of old ones. The problem is that
Ajax applications tend to be very complex. There are many more
interactions between the browser and server, and pages can even
pull in content from other sites. This makes it difficult to test
the many possible permutations of user and service interaction,
allowing old vulnerabilities such as cross-site scripting (XSS)
flaws to be unwittingly introduced in to the application.
All the big sites such as Microsoft, Google, eBay, and Yahoo
have experienced cross-site scripting flaws in the past but where
Ajax does change the threat landscape is that it allows an attacker
to exploit XSS vulnerabilities in a more covert manner. Malicious
code can make multiple requests in the background while the user
will be unaware of anything untoward happening. XSS attacks can be
used to steal data, take control of a user's session, run malicious
code, or launch phishing scams.
Securing Ajax applications is a new challenge for anyone
involved in developing or managing Web-based services. As yet there
aren't really any comprehensive automated Ajax application security
assessment tools. So until developers become more security aware,
particularly about the unanticipated malicious use of their
application's features, we're not likely to see a reduction in the
number of successful attacks against Web 2.0 sites.
However, one of the benefits of Web-based applications is that
deploying fixes is typically fast and easy, requiring no action
from the user. This does mean that vulnerabilities, once
discovered, can be removed quickly without the need for users to
download and install patches themselves.
Michael Cobb, CISSP-ISSAP, is the founder and managing director
of Cobweb Applications Ltd., a consultancy that offers IT training
and support in data security and analysis. He co-authored the
book IIS Security
and has written numerous technical
articles for leading IT publications. Mike is the guest instructor
for SearchSecurity.com's
Messaging Security School and, as a SearchSecurity.com site
expert, answers user questions on
application security and
platform security.