MySpace, YouTube successes open door to Web 2.0 dangers

Ajax is not that new and it hasn't introduced new vulnerabilities, just variations of old ones. The problem is that Ajax applications tend to be very complex. Mike Cobb, managing directorCobweb Applications

Everyone is now rushing to add interactive features to their own Web applications to try to recreate the successes of sites like MySpace and YouTube. A key element of this new class of Web service is Asynchronous JavaScript and XML (Ajax), a set of technologies used together to extend browser functionality.

Ajax applications are mainly executed on the user's machine and can connect to Web servers independently of the user, exchanging data behind the scenes so that the entire Web page does not have to be reloaded. This makes the application feel more responsive, such as Gmail's real-time spell checking. This relatively seamless exchange of data between an application server and a browser allows users to access, share, and edit online content in similar fashion to traditional desktop applications.

But in the rush to add interactive features, security has often been overlooked. Several high profile attacks have exploited weaknesses in sites using Web 2.0 technologies. The Yamanner worm hit Yahoo mail users, exploiting JavaScript and Ajax code to collect email addresses, while the Samy and Spaceflash worms spread among MySpace users changing buddy lists and profile information. Such attacks have heightened concerns that Web 2.0, and Ajax in particular, are introducing new threats to life on the Web.

Ajax is not that new and it hasn't introduced new vulnerabilities, just variations of old ones. The problem is that Ajax applications tend to be very complex. There are many more interactions between the browser and server, and pages can even pull in content from other sites. This makes it difficult to test the many possible permutations of user and service interaction, allowing old vulnerabilities such as cross-site scripting (XSS) flaws to be unwittingly introduced in to the application.

Web application attacks: Read more about SQL injection and cross-site scripting in our Web Application Attacks Learning Guide. Tip: Preventing blind SQL injection attacks Tip: Ajax security: How to prevent exploits in five steps Report: Web applications caught in a storm of attacks Do any freeware tools scan for Ajax vulnerabilities?

All the big sites such as Microsoft, Google, eBay, and Yahoo have experienced cross-site scripting flaws in the past but where Ajax does change the threat landscape is that it allows an attacker to exploit XSS vulnerabilities in a more covert manner. Malicious code can make multiple requests in the background while the user will be unaware of anything untoward happening. XSS attacks can be used to steal data, take control of a user's session, run malicious code, or launch phishing scams.

Securing Ajax applications is a new challenge for anyone involved in developing or managing Web-based services. As yet there aren't really any comprehensive automated Ajax application security assessment tools. So until developers become more security aware, particularly about the unanticipated malicious use of their application's features, we're not likely to see a reduction in the number of successful attacks against Web 2.0 sites.

However, one of the benefits of Web-based applications is that deploying fixes is typically fast and easy, requiring no action from the user. This does mean that vulnerabilities, once discovered, can be removed quickly without the need for users to download and install patches themselves.