From Blackhat USA 2007: Some AJAX Apps Not So Secure

The Black Hat USA 2007 conference took place in Las Vegas over the four days of July 28 through August 2. Lots of topics and issues were covered, and lots of holes were exploited (for demonstration purposes only, of course), between all the briefings and training sessions.

One item that received a fair amount of attention was AJAX, the magical asynchronous duo that is Java and XML, employed by a great number of developers today at small startups and Internet behemoths alike to allow users of their websites and online applications near-instantaneous access to information. If you’re not sure what AJAX looks and feels like, just pay a visit to Google Maps. Or Meebo. Or Digg. Or Pageflakes. The complete list easily carries into the thousands.

Unfortunately, many such sites rich in AJAX code aren’t nearly as safe as they ought to be, say a number of security experts. SPI Dynamics, attendees of the conference, claim information – both sensitive and not – can be compromised and fall into the hands of hackers without much effort. They lay blame for the widespread absence of shoddy security parameters partly on the shoulders of many authors of books on AJAX security, accusing some of offering “bad advice” to their readers, and partly on naïve general belief that because AJAX is still quite young, it is not prone to attack.

SPI even demonstrated for a Black Hat 2007 crowd the dangers developers unknowingly (and sometimes knowingly) face when creating AJAX-based or AJAX-infused websites.

AJAX promoters, developers, and users shouldn’t be completely discouraged from interacting with the technology, however. As a report in Information Week attests, coders are capable of defining and validating “the data parameters their applications accept as well as the output the applications deliver” very carefully.

Some will certainly think twice about providing sensitive information to sites which utilize AJAX upon learning that pronounced gaps do exist in the architecture of some domains on the Web. But for the most part, AJAX is in widespread use only in applications that do not require true identities and banking information of visitors and members, therefore it’s difficult to foresee a prevalence of troubling reports emerging in the near future about the compromise of individual or corporate information due to problems concerning AJAX. The examples listed in the second paragraph of this piece are several cases in point. Unless one is naively passing credit card information along via the online IM client Meebo, there seems no reason to anyone to tremble with fear upon hearing this news.

Not that companies currently building or working with AJAX utilities shouldn’t address any deficiencies before things start to get ugly. That of course would only make good sense to begin to troubleshoot.