Two US secuity researchers are recommending firms who
have
Ajax-enabled Web applications to conduct a series of tests for
security flaws.
SPI Dynamics researchers Billy Hoffman and Bryan
Sullivan decided to learn about Ajax insecurity by standing in the
developer's shoes. The two cobbled together an Ajax application
strictly using code snippets found on the Web, along with advice
from forums and other resources on the Internet--a generally
accepted practice used by developers, Hoffman and Sullivan
said.
 | | | | | AJAX makes it a lot easier to
shoot yourself in the foot.
Billy Hoffman,
security researcherSPI
Dynamics |
| | | | | |
| |
|
"This is not C++. Developers are going to coworkers, blogs and
forums for tips and information, and those places are as clueless
as they are about Ajax," said Sullivan, senior research engineer at
SPI Dynamics.
The application called Hacker Vacation is a takeoff on a travel
Web site, and Sullivan bluntly said the finished product is
"riddled with security defects."
"Developers are using knowledge from supposedly authoritative
sources, but there's a lot of bad advice out there," he said. "A
lot of Ajax applications are horrendously insecure
applications."
Ajax stands for Asynchronous JavaScript and
XML; the programming technique is standards-based, making it
applicable on many platforms; it's at the
underbelly of many of today's cutting-edge
interactive Web sites. Applications, like Google Maps for
example, can reload without the need for a page refresh, making
sites more responsive and dynamic. Like anything that's cool and
new in IT, security generally gives way to functionality,
especially in corporate development. Ajax is no exception.
Hoffman, SPI Dynamics' lead researcher, and Sullivan will
demonstrate the Hacker Vacation application next week at the Black
Hat Briefings in Las Vegas, and attendees can expect to see a
typical case study of the
security concerns around Ajax, and how
easily sensitive data can leak from these applications, how
denial-of-service conditions can occur and how some of common
programming snafus apply here as well.
"It's dangerous to think about where developers are getting
their advice," Hoffman said. "You go on a forum to figure out how
to build a cross-domain proxy on a server to build mash-ups. You
find code snippets and you're so ready to trust them. But you never
ask: 'Who are these users? How long have they been programming
Ajax? And, what do they know about security?' Even those who know
better, still make mistakes."
Hoffman said it's simple for a developer trying their hand at
building an Ajax app to inadvertently leak password information, or
worse, credit card or other sensitive data from an ecommerce
application, for example.
"Ajax makes it a lot easier to shoot yourself in the foot,"
Hoffman explained. With a good chunk of the application running in
JavaScript on the client via a Web browser, it's a lot easier to
leak confidential information to the client, unlike traditional
applications. "Ajax allows JavaScript to take a meaningful role in
an application," Hoffman said.
Sullivan adds that while Ajax is a great advance in Web
development, it is more difficult to secure because it's got a
larger attack surface, it's more transparent and complex than a
traditional application.
"Security people need to take a look at this space and publish
advice for developers," Sullivan says. "Developers don't speak the
same language as pen-testers for example. Any time you have
something as sexy as Ajax, you want to go ahead and adopt it
quickly and take advantage of what it offers. Unfortunately,
security is lagging when that happens."