Organizations considering the use of Asynchronous Javascript and XML (AJAX) technologies to create more dynamic Web sites need to ensure they are not inadvertently opening doors into otherwise secure applications, analysts have warned.
While AJAX by itself doesn’t create new security risks, it has a tendency to amplify the seriousness of several well-understood threats, including SQL injections, cross-site scripting and denial of service attacks, they said.
A case in point was last month’s mass-mailing Yamanner worm, which took advantage of an apparent cross-site scripting error in Yahoo Inc.’s e-mail service to infect thousands of users. The worm arrived in Yahoo e-mail user inboxes bearing the subject header “New Graphic Site” and was activated simply by a user opening the infected e-mail.
The worm used Javascript functions in a user’s browser to access Yahoo’s e-mail service and perform actions on behalf of the user — such as looking for names in the Yahoo address list and sending them e-mails containing copies of the worm — without the user’s knowledge. Such threats can be amplified in Web applications built with AJAX if proper care is not taken to validate user requests coming in via the browser, said Billy Hoffman, lead R&D engineer at Web security vendor SPI Dynamics in Atlanta.
AJAX is a programming technique that allows companies to make their Web sites more responsive to user input than pages built with HTML by enabling new content to be added to a Web page without needing the entire page to be reloaded. The task is accomplished by allowing the browser to fetch small amounts of data from the Web server from which the content is loaded using Javascript and XML technologies.
The approach is more efficient than having an entire Web page reload every time content needs to be refreshed. But it also increases the amount of traffic flowing between the browser and the Web server, thus increasing the potential for attacks such as the Yammaner worm, Hoffman said.
“Right off the bat you have a lot more input that you have to validate” on the server side compared to traditional Web sites, he said. “With AJAX, you are opening a lot more doors into the application, so if you don’t sanitize your user input” the potential for compromises also increases, he said.
“AJAX is a combination of JavaScript and XML. Both have security issues that AJAX helps to facilitate,” said Jason Bloomberg, an analyst with ZapThink LLC, a Baltimore-based consultancy specializing in XML and Web services.
For example, AJAX environments can provide more opportunties for hackers to launch SQL injection attacks, he said. These are attacks directed against Web applications that use client-supplied data to execute database queries. AJAX environments can present more opportunties for hackers to inject malformed SQL queries and compromise applications if proper validation measures are not taken, he said.
“The main concern is that AJAX involves new approaches in providing functionality at the browser interface,” Bloomberg said. “So developers are more likely to make mistakes where traditionally they would know how to build a secure Web site.”
If adequate server-side protections do not exist, AJAX can leave more doors open for malicious clients to send corrupted data, expose back-end applications that were not previously vulnerable and allow unauthenticated users to quickly elevate their privileges, said Mandeep Khera, vice-president of marketing with Cenzic Inc., a Santa Clara, Calif.-based vendor of application testing tools.
Companies certainly need to be aware of such risks, said Tim Farmer, manager of the software architect team at Choice Homes Inc. in Arlington, Tex. But for the moment, at least, “the benefits that you get from AJAX outweigh the risks — so long as you make good decisions on what kind of information you are exposing out there,” Farmer said.
QuickLink 062893
