AJAX security: Everything old is new again
- By William Jackson
- Aug 01, 2007
LAS VEGAS ' Web 2.0 is the new big thing on the Internet, but it comes with many of the same vulnerabilities as the old Web 1.0.
'There really isn't anything new in security,' said Bill Hoffman, lead researcher at SPI Dynamics. 'Anyone who says there is, is lying.'
Hoffman and John Terrill, executive vice president at Enterprise Management Technology, were at the Black Hat Briefings security conference this week demonstrating some of the possibilities of a new hybrid worm using both server-side and client-side languages to exploit both the Web server and the client's Web browser. The proof-of-concept worm is polymorphic and evolves to defend itself and find new avenues of attack.
At the root of the vulnerabilities being exploited is a problem as old as software itself: the disconnect between development and security communities. Developers don't know security and security people don't know coding. This too often leaves security an afterthought and leaves software vulnerable.
'You have to do security early in the development life cycle,' Hoffman said in an interview with GCN.
AJAX is only one tool in Web 2.0 development, but 'we focus on AJAX because that's what most people are familiar with,' Hoffman said.
As the acronym implies, the components of AJAX are not new, but the technique of using them was formalized under its own name in 2005.
With AJAX, 'we're pushing a little more of the logic and code to the browser' to get the improved efficiency, Hoffman said. Rather than simply requesting and displaying data from a server, the browser now is doing more computing on its own. 'The line of what runs on the server and what runs on the client is becoming more blurred.' And this had repercussions for security.
'One of the tenets of Web security is don't send anything to the client, because you can't trust it,' Hoffman said. But that tenet was developed at a time when running processes on the browser was difficult. With the advent of tools such as AJAX it is much more simple and becoming more common.
Because the vulnerabilities being compromised under AJAX exploits, including buffer overflows and SQL injection, are not new, there already are tools to discover them in code. Not surprisingly, SPI Dynamics sells some of them, including DevInspect, QAInspect and WebInspect, which can be used in the development, quality and assurance, and deployment phases of new applications. But Hoffman said he is not pushing his products in his presentation.
'There are some good open-source products out there,' he said. 'I don't care what you use. Just use something.'
As always, functionality has outstripped security, but the situation is not hopeless, Hoffman said. As Web applications mature, 'we're starting to see minimum standards for security as vendors start to realize the importance of Web security.'
The key to making those standards work will be to integrate them into the development process rather than trying to find and fix bugs after the fact.
William Jackson is a Maryland-based freelance writer.