The price of functionality

Tools such as AJAX add performance to Web sites but open new doors for attack

Web 2.0 is the new big thing on the Internet, but the tools used to enhance Web sites also leave a new crop of vulnerabilities, many of them unforeseen by developers. For all the innovation in software and hardware, the same old battles remain when functionality outstrips security.

'There really isn't anything new in security,' said Bill Hoffman, lead researcher at SPI Dynamics, at the recent Black Hat Briefings information technology security conference in Las Vegas. 'Anyone who says there is is lying.'

At the conference, Hoffman and John Terrill, executive vice president and co-founder of Enterprise Management Technology, demonstrated some of the possibilities of a new hybrid worm that uses server-side and client-side languages to exploit a Web server and the client's Web browser. The proof-of-concept worm is polymorphic and evolves to defend itself and find new avenues of attack.

'While these are not new concepts, applying them to interpreted languages like Perl or JavaScript inside a browser allowed for some interesting twists and caused some challenges,' Hoffman said.

Developers use JavaScript as a transport format for Web data to get around the same-origin policy built into browsers. Browsers use the policy to partition information from different sites and ensure that a Web site does not use a third-party browser to gather information from a second Web site. But the policy assumes that information will be in HTML. Asynchronous JavaScript and Extensible Markup Language (AJAX) gets around that limitation.

Open for exploit

'It's very creative,' said Brian Chess, chief scientist and founder of Fortify Software. But it also opens some Web sites to an exploit called JavaScript hijacking. 'It's an unforeseen consequence of what sounds like a good idea.'

At the root of the vulnerabilities is a problem as old as software itself: the disconnect between members of the development and security communities. Developers don't know security, and security people don't know coding. As a result, security is often an afterthought.

'You have to do security early in the development life cycle,' Hoffman said in an interview with GCN.

Chess and Hoffman were at the Las Vegas conference to emphasize the need for secure software development to help prevent such unintended consequences.

Web 2.0 is a broad term for interactive online functionality that includes collaboration and user-generated content. A cornerstone of that functionality is AJAX, a technique for creating Web applications that improve browser performance by loading only the changes in a Web page rather than reloading the entire page. Developers make the function calls in JavaScript and format data in XML.
AJAX is only one Web 2.0 tool, but 'we focus on AJAX because that's what most people are familiar with,' Hoffman said.

'One of the tenets of Web security is: Don't send anything to the client because you can't trust it,' Hoffman said. But that tenet was developed at a time when it was difficult to run processes on a browser. With the advent of tools such as AJAX, that approach is becoming more common.

However, it creates an environment in which the current model of securing IT systems by constantly adding more tools to the network or host is unsustainable. Increasingly interactive applications find ways around or through those static defenses, Chess said.

Hoffman said experts are already seeing exploits that take advantage of those weaknesses. Hackers have targeted application program interfaces that enable mashups, in which content is combined from multiple sources on a new site. Some users of the MySpace social networking site created self-propagating worms that injected JavaScript into profiles and used AJAX in the background. The attacks began in 2005 and continued into 2006 until MySpace shut down for a day to repair the vulnerability that allowed the propagation. In at least one case, a spammer apparently used the worms to harvest e-mail addresses and deliver ads.

Earlier this year, researchers at Fortify Software described JavaScript hijacking in a paper as an example of a traditional security failing. AJAX uses JavaScript to enable the interactive components of Web 2.0, such as mashups, but it introduces security weaknesses.

'An application can be mashup-friendly or it can be secure, but it cannot be both,' the researchers wrote.

Although functionality still often trumps security, software development is becoming more security-conscious. And the process is changing in large part because of public demand, Chess said.

'The public is catching on' because of the high visibility of identity theft and electronic voting concerns, he said. 'People are increasingly intolerant of somebody just saying 'oops'' in the wake of a security failure, he added.

'In the federal space, it is coming on a little slowly,' Chess said. And the government is a major software developer. 'One of the things I am amazed at is the number of people there writing software.'

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above