Signs on the Sand: SPI Labs: AJAX Opens up the Whole New Opportunities for Hacker Attacks

Random photo

Domains for sale

UltraBuilder.com
MobileOcean.com
SmartScripting.com
XPath.info
XSL.info
exodus.mobi
hydra.mobi
OpenTalk.mobi
XLinq.net

August 16, 2006

SPI Labs: AJAX Opens up the Whole New Opportunities for Hacker Attacks

SPI Dynamics has published a whitepaper "Ajax Security Dangers":

While Ajax can greatly improve the usability of a Web application, it can also
create several opportunities for possible attack if the application is not
designed with security in mind. Since Ajax Web applications exist on both the
client and the server, they include the following security issues:

• Create a larger attack surface with many more inputs to secure
• Expose internal functions of the Web application server
• Allow a client-side script to access third-party resources with no builtin
security mechanisms

From all dangers one sounds the most horrible - authors claim that "Ajax Amplifies XSS". Ajax allows cross-site scripting (XSS) attacks to spread like a virus or worm. And that's not an imaginary threats, the attacks are already happening.

The first widely known AJAX worm was "Samy worm" or "JS.Spacehero worm" hits 1,000,000+ MySpace users in less than 20 hours back in 2005 and then again.

In 2006 "The Yamanner worm" infested Yahoo Mail and managed to capture thousands email addresses and uploaded them to a still unidentified Web site.

Provided that the problem wasn't that Yahoo or MySpace staff is incompetent:

"The problem isn't that Yahoo is incompetent. The problem is that filtering JavaScript to make it safe is very, very hard," said David Wagner, assistant professor of computer science at the University of California at Berkeley

It's for sure just a matter of time before Google or Microsoft Ajax based applications will be hacked, not to mention vendors with less experienced developers driving to Ajax by the hype and widely leveraging "cut and paste” coding technique.

"JavaScript was dangerous before Ajax came around," noted Billy Hoffman, lead R&D researcher at SPI Dynamics Inc., a computer security firm. With the addition of Ajax functionality in many other Web applications, the problem is going to get worse before it gets better, he said.

Pessimistic summary, but what would you expect in a "Worse is Better" world?

del.ico.us |

digg it |

August 16, 2006 12:36 PM | #Web , #XML

Comments

You better think about where you can move to away from the Middle East.

G_d has forsaken your people. In every other war Israel has been in since 1948 G_d has blessed your people with miracles to help you win, but not this war.

Why?

I believe it's because of the tolerance that has been seen in your nation for homosexuality, BSDM, and other immoral behavior.

Chronicles 24:20
New International Version (NIV)

20 Then the Spirit of G_d came upon Zechariah son of Jehoiada the priest. He stood before the people and said, "This is what G_d says: 'Why do you disobey the LORD's commands? You will not prosper. Because you have forsaken the LORD, he has forsaken you.'

Posted by: Gene at August 17, 2006 5:34 AM