BLACK HAT - Researchers: Rush to Ajax a security threat

Big trend, fast development, low awareness equals bad combo

Software developers using Asynchronous Javascript and XML (AJAX) techniques to jazz up corporate Web sites are failing to pay attention to some very fundamental security issues, security researchers warned at the Black Hat USA conference in Las Vegas on Wednesday.

As a result, many companies that have rushed to AJAX-enable their sites may be dangerously vulnerable to a variety of Web-based threats of which they're not even aware.

AJAX is an increasingly popular programming technique that allows Web designers to make their Web sites more responsive to user input compared to traditional pages. Google, Yahoo and many other sites have embraced AJAX, which enables new content to be added to a Web page in response to user input without needing the entire page to be reloaded.

AJAX allows the browser to fetch small amounts of data from the Web server from which the content is loaded, using Javascript and XML technologies. The approach is considered more efficient than having an entire Web page reload every time content needs to be refreshed. But if care is not taken to control the manner in which the browser accesses the server data, all sorts of security issues can arise, says Billy Hoffman, lead R&D engineer at Web security vendor SPI Dynamics.

Among the biggest of these threats, says Hoffman, is the opening that poorly coded AJAX sites can provide for malicious attackers to change the order in which a program executes functions. Poorly designed AJAX implementations often push program code that used to be stored and executed only on the server out to client browsers. This allows attackers to access the code and to manipulate the order in which a program's functions are executed, Hoffman said in an interview with Computerworld.

The availability of too much program code on the client side also allows attackers to perform actions such as changing the value of certain parameters, or deleting certain program calls entirely. AJAX environments can also present more opportunities for hackers to inject malformed SQL queries and compromise applications if proper validation measures are not taken.

"Any secrets stored in JavaScript, whether secret data like discount codes or database connection strings, or secret functionality like backdoor administrative access, will be found and exploited," Hoffman said in a whitepaper he co-authored with Bryan Sullivan, development manager at SPI. "This is a far easier mistake to make in an AJAX application than in a traditional Web application because the client plays a larger role in data processing, presentation and possibly storage," they wrote.

To illustrate the threat, Hoffman and Sullivan demonstrated a series of attacks against a fictitious AJAX-enabled travel reservation site at a Black Hat presentation. The AJAX functionality in the site was completely built using tools and information sources that are commonly used by most AJAX developers today.

Hoffman and Sullivan showed how it was possible via the client browser to change the flow of the reservation program so that it would be possible for an attacker to book a ticket and not pay for it, or pay less than the quoted price for it.

The fundamental mistake that many AJAX developers make is to assume that code available on the client side will be treated in the same manner as server-side code, Sullivan said, speaking with Computerworld after the presentation. He says that such developers fail to realize is that when code that was originally intended to run on a server behind the firewall is presented on a client browser, it becomes possible to manipulate and change that code.

"When you publicly expose server methods for your Ajax applications, you are essentially creating an API for anyone to call," the two researchers wrote in their white paper. As a result care should be taken to expose only the required server-side methods, they said, adding that tt also becomes vital to validate all user input for correct format and length to mitigate threats.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?