AJAX security: Everything old is new again

LAS VEGAS ' Web 2.0 is the new big thing on the Internet, but it comes with many of the same vulnerabilities as the old Web 1.0.

'There really isn't anything new in security,' said Bill Hoffman, lead researcher at SPI Dynamics. 'Anyone who says there is, is lying.'

Hoffman and John Terrill, executive vice president at Enterprise Management Technology, were at the Black Hat Briefings security conference this week demonstrating some of the possibilities of a new hybrid worm using both server-side and client-side languages to exploit both the Web server and the client's Web browser. The proof-of-concept worm is polymorphic and evolves to defend itself and find new avenues of attack.

'While these are not new concepts, applying them to interpreted languages like Perl or JavaScript inside a browser allowed for some interesting twists and caused some challenges,' Hoffman said.

At the root of the vulnerabilities being exploited is a problem as old as software itself: the disconnect between development and security communities. Developers don't know security and security people don't know coding. This too often leaves security an afterthought and leaves software vulnerable.

'You have to do security early in the development life cycle,' Hoffman said in an interview with GCN.

Web 2.0 is a broad term for interactive online functionality, including collaboration and user-generated content enabled by Web applications. A cornerstone of this functionality is AJAX, Asynchronous JavaScript and Extensible Markup Language, a technique for creating Web applications that improve performance on the browser by loading changes in a Web page rather than reloading the entire page. Function calls are made in JavaScript and data is formatted in XML.

AJAX is only one tool in Web 2.0 development, but 'we focus on AJAX because that's what most people are familiar with,' Hoffman said.

As the acronym implies, the components of AJAX are not new, but the technique of using them was formalized under its own name in 2005.

With AJAX, 'we're pushing a little more of the logic and code to the browser' to get the improved efficiency, Hoffman said. Rather than simply requesting and displaying data from a server, the browser now is doing more computing on its own. 'The line of what runs on the server and what runs on the client is becoming more blurred.' And this had repercussions for security.

'One of the tenets of Web security is don't send anything to the client, because you can't trust it,' Hoffman said. But that tenet was developed at a time when running processes on the browser was difficult. With the advent of tools such as AJAX it is much more simple and becoming more common.

'We're seeing stuff in the wild' that exploit these weaknesses, Hoffman said. Application Programming Interfaces that enable mashups, where content is combined from multiple sources on a new site, have been a target for these types of exploits. Some users of the MySpace social networking site are creating self-propagating worms that inject JavaScript into profiles and use AJAX in the background. The attacks began in 2005 and continued into 2006 until MySpace shut down for a day to clean up the vulnerability that allowed the propagation. In at least one case the worms apparently were used by a spammer to harvest e-mail addresses and deliver ads.

Because the vulnerabilities being compromised under AJAX exploits, including buffer overflows and SQL injection, are not new, there already are tools to discover them in code. Not surprisingly, SPI Dynamics sells some of them, including DevInspect, QAInspect and WebInspect, which can be used in the development, quality and assurance, and deployment phases of new applications. But Hoffman said he is not pushing his products in his presentation.

'There are some good open-source products out there,' he said. 'I don't care what you use. Just use something.'

As always, functionality has outstripped security, but the situation is not hopeless, Hoffman said. As Web applications mature, 'we're starting to see minimum standards for security as vendors start to realize the importance of Web security.'

The key to making those standards work will be to integrate them into the development process rather than trying to find and fix bugs after the fact.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected