Black Hat 2007: More on the dangers of Ajax

One of the presenters at this year's Black Hat USA 2007 conference in Las Vegas is Billy Hoffman, a researcher with SPI Dynamics. Hoffman made headlines at last year's conference with a series of presentations on application security, particularly the threats against Web sites that rely on Asynchronous JavaScript and XML (Ajax). In this Q&A, Hoffman previews more application-based dangers he'll be discussing at the 2007 event, and talks about the future of SPI Dynamics as part of HP, which acquired the security firm in June.

What kind of changes do you expect in your corner of the operation after HP's acquisition of SPI Dynamics?

Billy Hoffman: HP very much wants to keep SPI intact. This isn't an acquire-and-strip-our-resources type of thing. They understand we're the leader in Web application security. SPI Dynamics has over 1,000 customers right now and we talked at a third of all Web application talks at Black Hat last year, so we're clearly the leader and they know this. They don't want to kill the golden goose.

So HP has openly expressed that it wants to hang on to SPI Dynamics' talent?
Hoffman: Oh, yes. We certainly have a large number of customers but it's not like they're buying us for our customer portfolio and ditching us. They realize the people, the research and intellectual property and the knowledge we have of Web application security is really what makes us valuable and they very much want to keep us intact.

At last year's Black Hat conference you warned that Ajax-based applications are being adopted quickly without a lot of thought about security. Will that be a recurring theme for you this year as well?
Hoffman:

I'll be taking [the issue] to the next step. People are starting to realize there are issues with Ajax and I think developers kind of fall into some of these mistakes. I routinely browse around Ajax Web sites and forums and developers are still very much confused about which part of an Ajax app is running on the server and which part is running on the client. The danger is anything you put on the client an attacker can see in terms of secrets, data you may be caching temporarily, program application logic or flow -- all this information. You want to be very careful about what you're pushing to the client. We see things like Microsoft Silverlight, which is their version of Flash. It allows Web developers to build rich applications on both the client and server using the same language, in C-sharp or what have you. The problem is that this blurs the line even more as far as where code is running and who can see what. So our big presentation is called Premature Ajax-ulation, which I'm giving with my co-author, Bryan Sullivan. We're writing a book called "Ajax Security" (Due out Nov. 1) and we'll be giving away a chapter at Black Hat.

Will a demo be part of the Premature Ajax-ulation presentation?
Hoffman: We're going to run through a sample travel Web site we built complete with rich Web services, a nice Ajax-y feel and we'll run through it and say hey, here's a Web site we built using the techniques and design patterns in these books and Web sites and here's why we just built one of the world's most insecure applications. Here are the problems, here's what we didn't know, here's what all those books that tell you how to program in Ajax aren't telling you and how it's leaving you open.

You're also doing a presentation called "The Little Hybrid Web worm that could" …
Hoffman: We'll talk about Web worms, which we've seen on the rise over the last year with one affecting MySpace, one affecting Yahoo and some affecting Google. We've really seen these on the rise in the past year.