Thursday, August 3rd, 2006
CNet has a roundup of the state of play in Web 2.0 security, entitled The security risk in Web 2.0. It recaps recent Yahoo! Mail and MySpace worms and points the finger of blame squarely at Ajax:
But AJAX doesn’t just help make Web pages and sites more interactive. It could also provide ways for hackers to hit a Web server and to exploit sites in attacks on visitors, experts said.
I still like Alex Russell’s response to this fear mongering claim from a May eWeek article:
Panelist Alex Russell, co-founder and project lead for The Dojo Toolkit, a popular AJAX framework, said, “It’s worth noting that the fundamental problems with browser security and Web application security haven’t changed in five years-most rely on a single root of trust, and AJAX doesn’t change that. Wider spread use of cross-domain content distribution,” which is not new with AJAX, is part of the issue. “The short version is still, Don’t trust the client.”
If I’ve made you nervous, sadly it’s too late to check out Black Hat USA 2006, which is finishing up today in Las Vegas. They were busy trying to scale the walls of Web 2.0. The schedule shows two talks on AJAX, one entitled AJAX (in)security the other Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0.
We all know how this works: they make you afraid so they can sell you their security products. But there usually is some worth in these presentations. For one, the security firms spend far more time diagnosing and fixing security issues than your average developer. It helps to see what they’ve come across; you’d hate to get hacked for a lack of imagination. Though the presentations are not up on each company’s web site yet, there is one available by Billy Hoffman that gives a good overview of web application security with a focus on Ajax and an analysis of several past and possible worms and viruses.
Posted by Dietrich Kappe at 12:34 pm