AJAX Vulnerabilities Could Pose Serious Risks

By Matt Hines  |  Posted 08-03-2006
LAS VEGAS—AJAX technology is rapidly being adopted by online businesses to help boost the interactivity of their Web sites, but a long list of potential vulnerabilities introduced by inexperienced programmers could create a troubling security landscape for Web 2.0 technologies.

Speaking at the ongoing Black Hat security conference being held here July 31 - Aug. 3, Billy Hoffman, lead research engineer in the labs division of Atlanta-based security software maker SPI Dynamics, outlined a range of shortcomings he sees in the current development process for most common AJAX (Asynchronous JavaScript and XML) applications.

AJAX is an extension to the JavaScript programming language that is used to improve the responsiveness of Web sites by automating the exchange of information between browsing software and sites' back-end Web servers.

For instance, the technology can allow a Webmail site to automatically download messages into a user's inbox without requiring the individual to refresh their browser screen. Well-known sites such as Google Maps, Yahoo and MySpace already employ AJAX tools in a number of ways.

Hoffman maintains that the current push by businesses to add AJAX tools to improve their sites and Web applications could create a slew of serious vulnerabilities, as inexperienced developers fail to properly protect their work and attackers learn to use the benefits of AJAX to their advantage.

"AJAX applications have a huge attack surface, much larger than traditional applications," Hoffman said. "And the buzz around AJAX is creating immense security implications, as the available knowledge bases and types of resources available for developers are poor."

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

As more programmers begin to work with AJAX, there will be an opportunity for hackers to launch a range of serious threats against sites with insufficient defenses in place, according to Hoffman.

The Yamanner virus that struck Yahoo's Webmail system and the Samy worm attack that targeted users of the popular MySpace social networking site reflect the types of attacks that Hoffman said he believes will be more prevalent in the years to come as AJAX becomes more pervasive.

Whereas the data used in more traditional Web applications exists largely on back-end servers, AJAX extends programs across both the client device and the server, creating far more opportunities for hackers to deliver malware onto sites. While a traditional online form requires users to hit submit to transmit all of their information to a Web site, creating a single communication that could be targeted by malware programs, an AJAX-enabled form that automatically relays the data from each field as data is entered will launch multiple transmissions that virus writers can latch into, Hoffman said.

By exploiting shortcomings in AJAX programmers' work, hackers may also be able to gain access to Web applications themselves and wreak havoc with online businesses.

"Now [an attacker] is inside your application and can create a pipeline that allows them to see all the function names, variables and parameters of your site," Hoffman said.

Read the full story on eWEEK.com: AJAX Vulnerabilities Could Pose Serious Risks