News
News
9/14/2006
05:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Clean Up Ajax Security Problems: A Comparative Review

The CRN Test Center compares Cenzic, SPI, Finjan, and Apache products that help developers mitigate the vulnerabilities posed by Ajax-based Web applications.

Vulnerabilities arise with every new Web technology, and Ajax is no exception. Ajax's instantaneous data feedback is imposing new demands on IT architects to change the way users interact with and access corporate data via Web-based applications.

The danger to IT organizations is that Ajax technology is being perceived as a direct pipeline into corporate data. That's pushing developers to inadvertently expose more data and server logic than ever before.

Ajax's logic also can be hidden from client-side security scanning technologies, allowing hackers to set up the new attacks from remote servers. Ajax, too, falls prey to well-known vulnerabilities such as cross-site scripting, SQL injections and credentials-based security holes.

To give a picture of the dangers of Ajax applications and ways to solve them, the CRN Test Center evaluated four products that cover various aspects of the Web app development life cycle: Cenzic's Hailstorm, the SPI Dynamics suite, Finjan's Vital Security Appliance and Apache's XAP. By using these products and other, developers can significantly reduce Ajax vulnerabilities and make any flaws highly manageable.

CENZIC HAILSTORM
One way to find Ajax flaws is with application security testing suites. To that end, Cenzic's Hailstorm has refined behavioral analysis of Ajax-based Web apps to an art form. Hailstorm can automate some of the most complex stream-based attacks, allowing developers to see how real-world hackers would go about breaking into their Web apps and stealing secure data.

Hailstorm allows developers to inspect all the vulnerabilities in real time to obtain information on which injected code was executed and how the target Web apps responded. Hailstorm also provides suggestions for fixing code from various technologies. Because Web app technologies are so varied, Hailstorm gives examples of generic fixes without showing code structures.

According to Cenzic, two major vulnerabilities surface when Ajax apps make server requests: input validation (such as SQL and script injections) and authentication. The key challenge for developers is to prevent feedback from any injection. Yet receiving modified, Ajax-based data structures without creating vulnerability in the code and enforcing standard HTTP requests can be daunting.

For instance, when making HTTP requests, post parameters separated by ampersands submit fields that allow hackers to find parameters providing insight into server responses. Hackers can create custom HTTP headers by inserting function calls using HTTP headers so that rogue scripts run on the server side. With Hailstorm, developers can identify flaws inside HTTP headers by injecting code based on server responses.

Hailstorm also can check for any post data injection. With vulnerable HTTP header responses, Hailstorm can generate cross-site scripting and SQL injection attacks to test server requests and script execution. Hailstorm can inject the headers with null functions to see if page structures can be modified with rogue functions. To get clues about the XML code and the functions being called, attackers often like to use null functions to receive messages back from the server.

Because Ajax requests are based on XMLHTTP, developers can change the structure of the post data dynamically to provide immediate Ajax-based data results to client browsers from a Web app. However, this feature can be exploited. For example, if hackers could modify any function, they could drop spam on a page.

Observing the best time to attack Ajax requests is also crucial because not all Ajax method calls are useful. With page loads, Ajax changes made to pages require follow-through responses from server-side components, by internal end users or by a combination of both, since Ajax requests are intermediary requests.

NEXT: More on Hailstorm and a look at SPI Dynamics' suite.

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.