BLACK HAT - Researchers: Rush to Ajax a security threat

Big trend, fast development, low awareness equals bad combo

Software developers using Asynchronous Javascript and XML (AJAX) techniques to jazz up corporate Web sites are failing to pay attention to some very fundamental security issues, security researchers warned at the Black Hat USA conference in Las Vegas on Wednesday.

As a result, many companies that have rushed to AJAX-enable their sites may be dangerously vulnerable to a variety of Web-based threats of which they're not even aware.

AJAX is an increasingly popular programming technique that allows Web designers to make their Web sites more responsive to user input compared to traditional pages. Google, Yahoo and many other sites have embraced AJAX, which enables new content to be added to a Web page in response to user input without needing the entire page to be reloaded.

AJAX allows the browser to fetch small amounts of data from the Web server from which the content is loaded, using Javascript and XML technologies. The approach is considered more efficient than having an entire Web page reload every time content needs to be refreshed. But if care is not taken to control the manner in which the browser accesses the server data, all sorts of security issues can arise, says Billy Hoffman, lead R&D engineer at Web security vendor SPI Dynamics.

Among the biggest of these threats, says Hoffman, is the opening that poorly coded AJAX sites can provide for malicious attackers to change the order in which a program executes functions. Poorly designed AJAX implementations often push program code that used to be stored and executed only on the server out to client browsers. This allows attackers to access the code and to manipulate the order in which a program's functions are executed, Hoffman said in an interview with Computerworld.

The availability of too much program code on the client side also allows attackers to perform actions such as changing the value of certain parameters, or deleting certain program calls entirely. AJAX environments can also present more opportunities for hackers to inject malformed SQL queries and compromise applications if proper validation measures are not taken.

"Any secrets stored in JavaScript, whether secret data like discount codes or database connection strings, or secret functionality like backdoor administrative access, will be found and exploited," Hoffman said in a whitepaper he co-authored with Bryan Sullivan, development manager at SPI. "This is a far easier mistake to make in an AJAX application than in a traditional Web application because the client plays a larger role in data processing, presentation and possibly storage," they wrote.

To illustrate the threat, Hoffman and Sullivan demonstrated a series of attacks against a fictitious AJAX-enabled travel reservation site at a Black Hat presentation. The AJAX functionality in the site was completely built using tools and information sources that are commonly used by most AJAX developers today.

Hoffman and Sullivan showed how it was possible via the client browser to change the flow of the reservation program so that it would be possible for an attacker to book a ticket and not pay for it, or pay less than the quoted price for it.

The fundamental mistake that many AJAX developers make is to assume that code available on the client side will be treated in the same manner as server-side code, Sullivan said, speaking with Computerworld after the presentation. He says that such developers fail to realize is that when code that was originally intended to run on a server behind the firewall is presented on a client browser, it becomes possible to manipulate and change that code.

"When you publicly expose server methods for your Ajax applications, you are essentially creating an API for anyone to call," the two researchers wrote in their white paper. As a result care should be taken to expose only the required server-side methods, they said, adding that tt also becomes vital to validate all user input for correct format and length to mitigate threats.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?