Security overlooked in web2.0 land grab.
The rise of Asynchronous Javascript and XML (Ajax) applications is exposing enterprises and end users to a new series of security threats, but developers are insufficiently aware to the enhanced risks.
"We're seeing a rise in web application attacks because people are realising that it is easier to go through the web application," Billy Hoffman, a lead security researcher with Spi Dynamics said.
"There is all sorts of money to be made in web [in]security. A lot of times, its easier to attack an application through the web layer than traditionally, by trying to break through the firewall of spoof around the intrusion detection system. Criminals take the path of least resistance," Hoffman said at the AjaxWorld conference in Santa Clara, California.
To end users, Ajax is a programming technique that allows websites to pre-fetch data and thereby allows for more interactive websites. Google on Tuesday unveiled Ajax tools for its search engine that lets web publishers integrate search and search results directly onto their webpages. Other popular services using Ajax include the Flickr photo sharing service and the Digg social bookmarking site.
Under the hood, Ajax uses web services techniques such as XML to transmit information directly from a database to the website. In a non-Ajax application, the same application would have required a web server to build the actual webpage that is presented to the user. But an Ajax application combines disparate data sources directly on the client system.
Where the database previously was kept within the safe perimeter of the corporate firewall, Ajax requires that these services can be directly accessed by outside systems.
"When you Ajaxify an application, it increases the attack surface," said Hoffman.
Yahoo in the past summer was hit by a security vulnerability in its online mail service. A specially crafted email message allowed attackers to access a user's email account, download the contents of their address books and send out spam emails from the hacked account.
Such threats are known as cross site scripting vulnerabilities (commonly referred to as XSS) because they span several services. They are rapidly becoming a dominant online threat category, said Hoffman. Salesforce.com, Paypal as well as Google all have been forced to repair XSS security holes in their online software.
The issue of Ajax insecurity is mainly a matter of developer culture, said Hoffman. Because the programming technique is relatively immature, it hasn't yet established best practices.
Web developers traditionally haven't paid much attention to the security of their code because they typically have a background in graphics design. Software developers who start creating code for the web meanwhile aren't used to worry about the fact that they are suddenly exposing new webservices to the web.
Sample code that is published by trade publications and books about Ajax programming also fails to instill safe programming skills. Hoffman pointed to the AjaxWorld publication, after which this week's AjaxWorld conference is named. A copy of the publication that was handed out to delegates featured a code sample that would allow an attacker to hack into the service, Hoffman claimed.
"In a space like Ajax you have a lot of developers that don't really know much about it. They are reading books and tutorials, but these tutorials are giving them really bad and insecure advice," he warned.
"You've got a developer culture that is saying: 'Let me learn how to do Ajax,' and they are not being told how to do it securely."
Writing secure Ajax code is further complicated by the fact that the language was never created with Ajax applications in mind and is very hard to debug.
Validating the data the user input however will mitigate most attacks, Hoffman said. Cross site scripting attacks for instance can work by entering SQL commands in an email registration box. By ensuring that an email features a @ and banning punctuations other than the dot offers a straightforward way to prevent such attacks.
Hoffman also flamed the "perpetual open betas" that many online applications use. In an attempt to more rapidly develop their products, firms bypass closed tests and instead invite users to put live data in their unfinished products. While it might be a good strategy to quickly launch a product, it's spells doom for the application's security, Hoffman argued.
"It's like hanging out a big sign saying: 'Hey, hackers. Here's some code that hasn’t been pounded on too hard. Let's come and attack me.'"
"This whole concept of go fast is being pushed by market pressures and it's really the last thing that you'd want to do."