Thursday, September 13th, 2007
Bryan Sullivan and Billy Hoffman gave a talk entitled Premature Ajax-ulations that came out of their work looking at Ajax applications, and seeing if they are secure.
They came to the common conclusion that Ajax is not inherently insecure, but ignoring security makes it so:
“The extra attack surface from Ajax is not from anything in the architecture but because you’re adding functionality,” Sullivan said. As your mouse glides smoothly over a Google Map, the application behind it is hard at work, constantly sending messages back and forth from the server to the client.
“Ajax is really cool. You just have to pay an extra price for the extra functionality,” Sullivan said. That “extra price” includes following basic application security best practices and cultivating communication among development, QA and testing teams. Many of those security practices should already be familiar.
White Hat Security also concluded that Ajax doesn’t cause a larger attack surface.
Of course, Jeremiah Grossman of White Hat Security, also scared the developers out of their minds when he showed various tricks at The Ajax Experience in San Francisco, recently.
Posted by Dion Almaer at 4:03 am