Ajax's Success Could Weaken Web 2.0 - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Information Management

Ajax's Success Could Weaken Web 2.0

Despite the several ways to break down a Web site built using Ajax, all is not lost, according to SPI Dynamics.

Bandwagoning is inevitable whenever a new technology or technique demonstrates success, and Ajax, or Asynchronous JavaScript and XML, has definitely been successful in the Web 2.0 world. Maybe too successful, from a security standpoint.

To prove this theory, SPI Dynamics Wednesday at the Black Hat USA 2007 conference in Las Vegas demonstrated several ways to break down a Web site they built using Ajax. The company dubbed the rush to erect Ajax-based Web sites "Premature Ajax-ulation," and proceeded to describe how it can be diagnosed, treated, and even avoided.

To demonstrate the lack of attention paid to securing Ajax, all of the techniques and approaches SPI researchers used to construct their fictitious site, called HackerVacations.com, came from books and other readily available resources about Ajax. The result was a site where flight pricing, seat selection, and other features were easily manipulated.

"Developers write these applications the way they're supposed to be used," Bryan Sullivan, SPI's development manager, told InformationWeek. "That's great, except that you've only ever tried to exercise the application the way it's intended to be used." Those attacking the application have no such inhibitions.

"Bryan and I were shocked at the bad advice published in Ajax security books," Billy Hoffman, lead security researcher for SPI, which is set to be bought by HP, told InformationWeek.

Ajax is seductive because it lets developers build applications that are as responsive as a desktop app but available over the Web. Ajax has risen to prominence on the back of applications such as Google Maps, which breaks up complex functions so that the users get more immediate gratification from their requests for information.

"With traditional Web applications, you broke in by feeding malicious code into the server to help make the server fail," Hoffman said. JavaScript, however, makes greater use of the client, thus giving anyone attacking an Ajax-based application access to a greater amount of the application's code.

The news wasn't all bad, however. It is possible to write secure Ajax applications if programmers carefully define and validate the data parameters their applications accept as well as the output the applications deliver. Barring that, abstinence, or at least using Ajax sparingly, may be the best solution.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Flash Poll