Ajax developers playing with fire

Ajax programmers pay insufficient attention to security risks

The rise of Asynchronous JavaScript and XML (Ajax) applications is exposing enterprises and end users to a new series of security threats, but developers are insufficiently aware of the risks.

"We are seeing a rise in web application attacks because people are realising that it is easier to go through the web application," Billy Hoffman, a lead security researcher with Spi Dynamics, told vnunet.com. 

"There is all sorts of money to be made in web security," Hoffman said at the AjaxWorld conference in Santa Clara, California. 

"It is often easier to attack an application through the web layer than by trying to break through the firewall or spoof around the intrusion detection system. Criminals take the path of least resistance."

From the end-user perspective, Ajax is a programming technique that allows websites to pre-fetch data and facilitate more interactive websites.

Google unveiled Ajax tools for its search engine on Tuesday that let web publishers integrate search and search results directly onto their web pages.

Other popular services using Ajax include the Flickr photo sharing service and the Digg social book-marking site. 

Under the hood, Ajax uses web services techniques such as XML to transmit information directly from a database to the website.

In a non-Ajax application, the same application would have required a web server to build the actual webpage presented to the user. But an Ajax application combines disparate data sources directly on the client system.

Whereas the database was kept within the safe confines of the corporate firewall, Ajax requires the services to be directly accessed by outside systems. "When you 'Ajaxify' an application, it increases the attack surface," said Hoffman.

Yahoo was hit by a security vulnerability in its online mail service last summer.

A maliciously crafted email message allowed attackers to access users' email accounts, download the contents of their address books and send out spam emails from the hacked accounts.

Such threats are known as cross-site scripting vulnerabilities (commonly referred to as XSS) because they span several services.

They are rapidly becoming a dominant online threat category, according to Hoffman. Salesforce.com, PayPal and Google have all been forced to repair XSS security holes in their online software.