Thursday, September 13th, 2007

Premature Ajax-ulations: Ajax Security… It’s Still The Web

Category: Security

Bryan Sullivan and Billy Hoffman gave a talk entitled Premature Ajax-ulations that came out of their work looking at Ajax applications, and seeing if they are secure.

They came to the common conclusion that Ajax is not inherently insecure, but ignoring security makes it so:

“The extra attack surface from Ajax is not from anything in the architecture but because you’re adding functionality,” Sullivan said. As your mouse glides smoothly over a Google Map, the application behind it is hard at work, constantly sending messages back and forth from the server to the client.

“Ajax is really cool. You just have to pay an extra price for the extra functionality,” Sullivan said. That “extra price” includes following basic application security best practices and cultivating communication among development, QA and testing teams. Many of those security practices should already be familiar.

White Hat Security also concluded that Ajax doesn’t cause a larger attack surface.

Of course, Jeremiah Grossman of White Hat Security, also scared the developers out of their minds when he showed various tricks at The Ajax Experience in San Francisco, recently.

Posted by Dion Almaer at 4:03 am

3.7 rating from 20 votes


Comments feed TrackBack URI

Haha, nice title :)

Comment by Kaloyan K. Tsvetkov — September 13, 2007

Is this scary talk going to be transcribed onto a website anywhere? I’d like to see what he was able to accomplish, and measures to defeat them.

Comment by Mike Ritchie — September 13, 2007

Ajax is as secure as anything else involving communication and computers on this planet. I find it really bothering how much energy the existing power shakers are putting into “proving” that Ajax is not secure…

Take us for instance; (Gaia Ajax Widgets)
With our model we’re exactly as secure as ASP.NET and/or Mono is since we build our entire platform on top of theirs meaning that if there’s a breach in Mono there’s a breach in Gaia but unless there is a breach in Mono (or .Net) there’s NO breach in Gaia…!

To say things like “Ajax is insecure” etc is basically like saying “Europeans are stupid” or “American’s are arrogant” or something…
Only with humans there are actually LAWS against it…!

I find it however extremely interesting that these kind of claims comes directly some few days after the release of Silverlight… ;)

Comment by Thomas Hansen — September 17, 2007

Leave a comment

You must be logged in to post a comment.