AJAX Vulnerabilities Could Pose Serious RisksBy Matt Hines | Posted 2006-08-03 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
News Analysis: Sloppy programming and the rush to add Web 2.0 technology to Web sites could create a significant attack vector that threatens businesses and private users alike.LAS VEGASAJAX technology is rapidly being adopted by online businesses to help boost the interactivity of their Web sites, but a long list of potential vulnerabilities introduced by inexperienced programmers could create a troubling security landscape for Web 2.0 technologies.
For instance, the technology can allow a Webmail site to automatically download messages into a user's inbox without requiring the individual to refresh their browser screen. Well-known sites such as Google Maps, Yahoo and MySpace already employ AJAX tools in a number of ways.
Hoffman maintains that the current push by businesses to add AJAX tools to improve their sites and Web applications could create a slew of serious vulnerabilities, as inexperienced developers fail to properly protect their work and attackers learn to use the benefits of AJAX to their advantage.
"AJAX applications have a huge attack surface, much larger than traditional applications," Hoffman said. "And the buzz around AJAX is creating immense security implications, as the available knowledge bases and types of resources available for developers are poor."
As more programmers begin to work with AJAX, there will be an opportunity for hackers to launch a range of serious threats against sites with insufficient defenses in place, according to Hoffman.
The Yamanner virus that struck Yahoo's Webmail system and the Samy worm attack that targeted users of the popular MySpace social networking site reflect the types of attacks that Hoffman said he believes will be more prevalent in the years to come as AJAX becomes more pervasive.
Whereas the data used in more traditional Web applications exists largely on back-end servers, AJAX extends programs across both the client device and the server, creating far more opportunities for hackers to deliver malware onto sites. While a traditional online form requires users to hit submit to transmit all of their information to a Web site, creating a single communication that could be targeted by malware programs, an AJAX-enabled form that automatically relays the data from each field as data is entered will launch multiple transmissions that virus writers can latch into, Hoffman said.
By exploiting shortcomings in AJAX programmers' work, hackers may also be able to gain access to Web applications themselves and wreak havoc with online businesses.
"Now [an attacker] is inside your application and can create a pipeline that allows them to see all the function names, variables and parameters of your site," Hoffman said.
Read the full story on eWEEK.com: AJAX Vulnerabilities Could Pose Serious Risks