BLACK HAT - Researchers: Rush to Ajax a security threat

Big trend, fast development, low awareness equals bad combo

Software developers using Asynchronous Javascript and XML (AJAX) techniques to jazz up corporate Web sites are failing to pay attention to some very fundamental security issues, security researchers warned at the Black Hat USA conference in Las Vegas on Wednesday.

As a result, many companies that have rushed to AJAX-enable their sites may be dangerously vulnerable to a variety of Web-based threats of which they're not even aware.

AJAX is an increasingly popular programming technique that allows Web designers to make their Web sites more responsive to user input compared to traditional pages. Google, Yahoo and many other sites have embraced AJAX, which enables new content to be added to a Web page in response to user input without needing the entire page to be reloaded.

AJAX allows the browser to fetch small amounts of data from the Web server from which the content is loaded, using Javascript and XML technologies. The approach is considered more efficient than having an entire Web page reload every time content needs to be refreshed. But if care is not taken to control the manner in which the browser accesses the server data, all sorts of security issues can arise, says Billy Hoffman, lead R&D engineer at Web security vendor SPI Dynamics.

Among the biggest of these threats, says Hoffman, is the opening that poorly coded AJAX sites can provide for malicious attackers to change the order in which a program executes functions. Poorly designed AJAX implementations often push program code that used to be stored and executed only on the server out to client browsers. This allows attackers to access the code and to manipulate the order in which a program's functions are executed, Hoffman said in an interview with Computerworld.

The availability of too much program code on the client side also allows attackers to perform actions such as changing the value of certain parameters, or deleting certain program calls entirely. AJAX environments can also present more opportunities for hackers to inject malformed SQL queries and compromise applications if proper validation measures are not taken.

"Any secrets stored in JavaScript, whether secret data like discount codes or database connection strings, or secret functionality like backdoor administrative access, will be found and exploited," Hoffman said in a whitepaper he co-authored with Bryan Sullivan, development manager at SPI. "This is a far easier mistake to make in an AJAX application than in a traditional Web application because the client plays a larger role in data processing, presentation and possibly storage," they wrote.

To illustrate the threat, Hoffman and Sullivan demonstrated a series of attacks against a fictitious AJAX-enabled travel reservation site at a Black Hat presentation. The AJAX functionality in the site was completely built using tools and information sources that are commonly used by most AJAX developers today.

Hoffman and Sullivan showed how it was possible via the client browser to change the flow of the reservation program so that it would be possible for an attacker to book a ticket and not pay for it, or pay less than the quoted price for it.

The fundamental mistake that many AJAX developers make is to assume that code available on the client side will be treated in the same manner as server-side code, Sullivan said, speaking with Computerworld after the presentation. He says that such developers fail to realize is that when code that was originally intended to run on a server behind the firewall is presented on a client browser, it becomes possible to manipulate and change that code.

"When you publicly expose server methods for your Ajax applications, you are essentially creating an API for anyone to call," the two researchers wrote in their white paper. As a result care should be taken to expose only the required server-side methods, they said, adding that tt also becomes vital to validate all user input for correct format and length to mitigate threats.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?