Ajax programming security dangers exposed

Two security engineers from SPI Dynamics comb resources on the Net to build an Ajax application from scratch; the final product is rife with problems.

Two US secuity researchers are recommending firms who have Ajax-enabled Web applications to conduct a series of tests for security flaws.

SPI Dynamics researchers Billy Hoffman and Bryan Sullivan  decided to learn about Ajax insecurity by standing in the developer's shoes. The two cobbled together an Ajax application strictly using code snippets found on the Web, along with advice from forums and other resources on the Internet--a generally accepted practice used by developers, Hoffman and Sullivan said.

AJAX makes it a lot easier to shoot yourself in the foot.
Billy Hoffman,
security researcherSPI Dynamics

"This is not C++. Developers are going to coworkers, blogs and forums for tips and information, and those places are as clueless as they are about Ajax," said Sullivan, senior research engineer at SPI Dynamics.

The application called Hacker Vacation is a takeoff on a travel Web site, and Sullivan bluntly said the finished product is "riddled with security defects."

Billy Hoffman
Billy Hoffman

"Developers are using knowledge from supposedly authoritative sources, but there's a lot of bad advice out there," he said. "A lot of Ajax applications are horrendously insecure applications."

Ajax stands for Asynchronous JavaScript and XML; the programming technique is standards-based, making it applicable on many platforms; it's at the underbelly of many of today's cutting-edge interactive Web sites. Applications, like Google Maps for example, can reload without the need for a page refresh, making sites more responsive and dynamic. Like anything that's cool and new in IT, security generally gives way to functionality, especially in corporate development. Ajax is no exception.

Hoffman, SPI Dynamics' lead researcher, and Sullivan will demonstrate the Hacker Vacation application next week at the Black Hat Briefings in Las Vegas, and attendees can expect to see a typical case study of the security concerns around Ajax, and how easily sensitive data can leak from these applications, how denial-of-service conditions can occur and how some of common programming snafus apply here as well.

"It's dangerous to think about where developers are getting their advice," Hoffman said. "You go on a forum to figure out how to build a cross-domain proxy on a server to build mash-ups. You find code snippets and you're so ready to trust them. But you never ask: 'Who are these users? How long have they been programming Ajax? And, what do they know about security?' Even those who know better, still make mistakes."

Hoffman said it's simple for a developer trying their hand at building an Ajax app to inadvertently leak password information, or worse, credit card or other sensitive data from an ecommerce application, for example.

"Ajax makes it a lot easier to shoot yourself in the foot," Hoffman explained. With a good chunk of the application running in JavaScript on the client via a Web browser, it's a lot easier to leak confidential information to the client, unlike traditional applications. "Ajax allows JavaScript to take a meaningful role in an application," Hoffman said.

Sullivan adds that while Ajax is a great advance in Web development, it is more difficult to secure because it's got a larger attack surface, it's more transparent and complex than a traditional application.

"Security people need to take a look at this space and publish advice for developers," Sullivan says. "Developers don't speak the same language as pen-testers for example. Any time you have something as sexy as Ajax, you want to go ahead and adopt it quickly and take advantage of what it offers. Unfortunately, security is lagging when that happens."

Read more on IT risk management