Clean Up Ajax Security Problems: A Comparative Review - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Clean Up Ajax Security Problems: A Comparative Review

The CRN Test Center compares Cenzic, SPI, Finjan, and Apache products that help developers mitigate the vulnerabilities posed by Ajax-based Web applications.

Vulnerabilities arise with every new Web technology, and Ajax is no exception. Ajax's instantaneous data feedback is imposing new demands on IT architects to change the way users interact with and access corporate data via Web-based applications.

The danger to IT organizations is that Ajax technology is being perceived as a direct pipeline into corporate data. That's pushing developers to inadvertently expose more data and server logic than ever before.

Ajax's logic also can be hidden from client-side security scanning technologies, allowing hackers to set up the new attacks from remote servers. Ajax, too, falls prey to well-known vulnerabilities such as cross-site scripting, SQL injections and credentials-based security holes.

To give a picture of the dangers of Ajax applications and ways to solve them, the CRN Test Center evaluated four products that cover various aspects of the Web app development life cycle: Cenzic's Hailstorm, the SPI Dynamics suite, Finjan's Vital Security Appliance and Apache's XAP. By using these products and other, developers can significantly reduce Ajax vulnerabilities and make any flaws highly manageable.

One way to find Ajax flaws is with application security testing suites. To that end, Cenzic's Hailstorm has refined behavioral analysis of Ajax-based Web apps to an art form. Hailstorm can automate some of the most complex stream-based attacks, allowing developers to see how real-world hackers would go about breaking into their Web apps and stealing secure data.

Hailstorm allows developers to inspect all the vulnerabilities in real time to obtain information on which injected code was executed and how the target Web apps responded. Hailstorm also provides suggestions for fixing code from various technologies. Because Web app technologies are so varied, Hailstorm gives examples of generic fixes without showing code structures.

According to Cenzic, two major vulnerabilities surface when Ajax apps make server requests: input validation (such as SQL and script injections) and authentication. The key challenge for developers is to prevent feedback from any injection. Yet receiving modified, Ajax-based data structures without creating vulnerability in the code and enforcing standard HTTP requests can be daunting.

For instance, when making HTTP requests, post parameters separated by ampersands submit fields that allow hackers to find parameters providing insight into server responses. Hackers can create custom HTTP headers by inserting function calls using HTTP headers so that rogue scripts run on the server side. With Hailstorm, developers can identify flaws inside HTTP headers by injecting code based on server responses.

Hailstorm also can check for any post data injection. With vulnerable HTTP header responses, Hailstorm can generate cross-site scripting and SQL injection attacks to test server requests and script execution. Hailstorm can inject the headers with null functions to see if page structures can be modified with rogue functions. To get clues about the XML code and the functions being called, attackers often like to use null functions to receive messages back from the server.

Because Ajax requests are based on XMLHTTP, developers can change the structure of the post data dynamically to provide immediate Ajax-based data results to client browsers from a Web app. However, this feature can be exploited. For example, if hackers could modify any function, they could drop spam on a page.

Observing the best time to attack Ajax requests is also crucial because not all Ajax method calls are useful. With page loads, Ajax changes made to pages require follow-through responses from server-side components, by internal end users or by a combination of both, since Ajax requests are intermediary requests.

NEXT: More on Hailstorm and a look at SPI Dynamics' suite.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll