Clean Up Ajax Security Problems: A Comparative Review
The CRN Test Center compares Cenzic, SPI, Finjan, and Apache products that help developers mitigate the vulnerabilities posed by Ajax-based Web applications.
Vulnerabilities arise with every new Web technology, and Ajax is no exception. Ajax's instantaneous data feedback is imposing new demands on IT architects to change the way users interact with and access corporate data via Web-based applications.
The danger to IT organizations is that Ajax technology is being perceived as a direct pipeline into corporate data. That's pushing developers to inadvertently expose more data and server logic than ever before.
Ajax's logic also can be hidden from client-side security scanning technologies, allowing hackers to set up the new attacks from remote servers. Ajax, too, falls prey to well-known vulnerabilities such as cross-site scripting, SQL injections and credentials-based security holes.
To give a picture of the dangers of Ajax applications and ways to solve them, the CRN Test Center evaluated four products that cover various aspects of the Web app development life cycle: Cenzic's Hailstorm, the SPI Dynamics suite, Finjan's Vital Security Appliance and Apache's XAP. By using these products and other, developers can significantly reduce Ajax vulnerabilities and make any flaws highly manageable.
One way to find Ajax flaws is with application security testing suites. To that end, Cenzic's Hailstorm has refined behavioral analysis of Ajax-based Web apps to an art form. Hailstorm can automate some of the most complex stream-based attacks, allowing developers to see how real-world hackers would go about breaking into their Web apps and stealing secure data.
Hailstorm allows developers to inspect all the vulnerabilities in real time to obtain information on which injected code was executed and how the target Web apps responded. Hailstorm also provides suggestions for fixing code from various technologies. Because Web app technologies are so varied, Hailstorm gives examples of generic fixes without showing code structures.
According to Cenzic, two major vulnerabilities surface when Ajax apps make server requests: input validation (such as SQL and script injections) and authentication. The key challenge for developers is to prevent feedback from any injection. Yet receiving modified, Ajax-based data structures without creating vulnerability in the code and enforcing standard HTTP requests can be daunting.
For instance, when making HTTP requests, post parameters separated by ampersands submit fields that allow hackers to find parameters providing insight into server responses. Hackers can create custom HTTP headers by inserting function calls using HTTP headers so that rogue scripts run on the server side. With Hailstorm, developers can identify flaws inside HTTP headers by injecting code based on server responses.
Hailstorm also can check for any post data injection. With vulnerable HTTP header responses, Hailstorm can generate cross-site scripting and SQL injection attacks to test server requests and script execution. Hailstorm can inject the headers with null functions to see if page structures can be modified with rogue functions. To get clues about the XML code and the functions being called, attackers often like to use null functions to receive messages back from the server.
Because Ajax requests are based on XMLHTTP, developers can change the structure of the post data dynamically to provide immediate Ajax-based data results to client browsers from a Web app. However, this feature can be exploited. For example, if hackers could modify any function, they could drop spam on a page.
Observing the best time to attack Ajax requests is also crucial because not all Ajax method calls are useful. With page loads, Ajax changes made to pages require follow-through responses from server-side components, by internal end users or by a combination of both, since Ajax requests are intermediary requests.
NEXT: More on Hailstorm and a look at SPI Dynamics' suite.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?