Despite the several ways to break down a Web site built using Ajax, all is not lost, according to SPI Dynamics.
To prove this theory, SPI Dynamics Wednesday at the Black Hat USA 2007 conference in Las Vegas demonstrated several ways to break down a Web site they built using Ajax. The company dubbed the rush to erect Ajax-based Web sites "Premature Ajax-ulation," and proceeded to describe how it can be diagnosed, treated, and even avoided.
To demonstrate the lack of attention paid to securing Ajax, all of the techniques and approaches SPI researchers used to construct their fictitious site, called HackerVacations.com, came from books and other readily available resources about Ajax. The result was a site where flight pricing, seat selection, and other features were easily manipulated.
"Developers write these applications the way they're supposed to be used," Bryan Sullivan, SPI's development manager, told InformationWeek. "That's great, except that you've only ever tried to exercise the application the way it's intended to be used." Those attacking the application have no such inhibitions.
"Bryan and I were shocked at the bad advice published in Ajax security books," Billy Hoffman, lead security researcher for SPI, which is set to be bought by HP, told InformationWeek.
Ajax is seductive because it lets developers build applications that are as responsive as a desktop app but available over the Web. Ajax has risen to prominence on the back of applications such as Google Maps, which breaks up complex functions so that the users get more immediate gratification from their requests for information.
The news wasn't all bad, however. It is possible to write secure Ajax applications if programmers carefully define and validate the data parameters their applications accept as well as the output the applications deliver. Barring that, abstinence, or at least using Ajax sparingly, may be the best solution.
The Agile ArchiveWhen it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
2014 Analytics, BI, and Information Management SurveyITís tried for years to simplify data analytics and business intelligence efforts. Have visual analysis tools and Hadoop and NoSQL databases helped? Respondents to our 2014 InformationWeek Analytics, Business Intelligence, and Information Management Survey have a mixed outlook.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.