Thursday, August 3rd, 2006

A Number of Ajax Security Items

Category: Security

CNet has a roundup of the state of play in Web 2.0 security, entitled The security risk in Web 2.0. It recaps recent Yahoo! Mail and MySpace worms and points the finger of blame squarely at Ajax:

One of the key enablers of the flashier Web sites is a programming technique known as AJAX, which stands for “Asynchronous JavaScript and XML.” Google Maps, launched last year, was one of the first Web applications to showcase the benefits of AJAX development techniques to a broad audience, when it let people use a mouse to move a map image around the screen.

But AJAX doesn’t just help make Web pages and sites more interactive. It could also provide ways for hackers to hit a Web server and to exploit sites in attacks on visitors, experts said.

I still like Alex Russell’s response to this fear mongering claim from a May eWeek article:

Panelist Alex Russell, co-founder and project lead for The Dojo Toolkit, a popular AJAX framework, said, “It’s worth noting that the fundamental problems with browser security and Web application security haven’t changed in five years-most rely on a single root of trust, and AJAX doesn’t change that. Wider spread use of cross-domain content distribution,” which is not new with AJAX, is part of the issue. “The short version is still, Don’t trust the client.”

I’ve made the point that it’s not that browser security has changed, but rather that web applications are now persisting executable artifacts like Javascript, Flash, etc.. That’s not really an Ajax problem (the Yahoo! Mail worm was, in fact, a problem with the old, pre-Ajax interface), but certainly inserting scripts and the like is much more common in Ajax/Web 2.0 applications. Also, detecting “abnormal” behavior with firewalls and IDS’s has become more complicated, now that Ajax applications have changed both the content and connection profile of client HTTP traffic.

If I’ve made you nervous, sadly it’s too late to check out Black Hat USA 2006, which is finishing up today in Las Vegas. They were busy trying to scale the walls of Web 2.0. The schedule shows two talks on AJAX, one entitled AJAX (in)security the other Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0.

We all know how this works: they make you afraid so they can sell you their security products. But there usually is some worth in these presentations. For one, the security firms spend far more time diagnosing and fixing security issues than your average developer. It helps to see what they’ve come across; you’d hate to get hacked for a lack of imagination. Though the presentations are not up on each company’s web site yet, there is one available by Billy Hoffman that gives a good overview of web application security with a focus on Ajax and an analysis of several past and possible worms and viruses.

Posted by Dietrich Kappe at 12:34 pm

4.1 rating from 15 votes


Comments feed TrackBack URI

Web 2.0 and AJAX Security Vulnerabilities

Ajaxian has a post about some sessions at the Black Hat USA 2006 conference. I’m quite honestly surprised that this is just gaining some press now, I’ve figured it would happen sooner than it has (but that’s typical for me

Trackback by — August 3, 2006

Again, we see a current buzz word masking the real news story. Ajax doesn’t cause the vulnerabilities Hoffman (and, presumably others) describe; allowing arbitrary users to post arbitrary HTML does. Of course a person who can inject HTML into a remote site can do bad things — from inappropriate IMG tags, to bad IFRAMES, to the type of XHR attack Hoffman proposed. The popularity of Ajax techniques lowers the bar for malicious code writers, but a site like MySpace — or even a blog comments section — allowing John Q. Public to write HTML has always been a bad idea, regardless thereof.

Comment by A.R.Wolff — August 4, 2006



Comment by df — September 7, 2007

Leave a comment

You must be logged in to post a comment.