« Podcast with IBM Rational: Security Becomes an Important Factor in Application Lifecycle Management | Main | Current Cost of Cybercrime »

Ajax -- or Asynchronous Javascript and XML-- has come to dominate Web 2.0, but it is coming at a price: security. According to Information Week, SPI Dynamics demonstrated at Black Hat last Wednesday several ways to break a web site built using Ajax. HP is set to buy SPI Dynamics, a deal I asked IBM Rational about in this podcast. SPI Dynamics has started calling this rush to use AJAX for Web 2.0, “Premature AJAX-ulation.”

Ajax has become so prevalent in Web 2.0 because it allows developers to build highly responsive applications that can be used over the Internet. Google Maps is one of the more prominent apps that rely on Ajax. The weakness in Ajax is the javascript, which makes greater use of the client, thereby giving attackers access to more of the application's code.

As part of the demonstration, SPI researchers constructed a test site, HackerVacations.com, using the latest books and resources on Ajax, and then showed how flight pricing, seat selection, and other aspects could be easily manipulated on the site.

"Bryan and I were shocked at the bad advice published in Ajax security books," Billy Hoffman, lead security researcher for SPI, said. To secure Ajax, programmers simply need to carefully define and validate data parameters their applications accept and the output they deliver.

Posted by pschooff in Better Protection |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2200