August 16, 2006

SPI Labs: AJAX Opens up the Whole New Opportunities for Hacker Attacks

SPI Dynamics has published a whitepaper "Ajax Security Dangers":

While Ajax can greatly improve the usability of a Web application, it can also
create several opportunities for possible attack if the application is not
designed with security in mind. Since Ajax Web applications exist on both the
client and the server, they include the following security issues:

• Create a larger attack surface with many more inputs to secure
• Expose internal functions of the Web application server
• Allow a client-side script to access third-party resources with no builtin
security mechanisms

From all dangers one sounds the most horrible - authors claim that "Ajax Amplifies XSS". Ajax allows  cross-site scripting (XSS) attacks to spread like a virus or worm. And that's not an imaginary threats, the attacks are already happening.

The first widely known AJAX worm was "Samy worm" or "JS.Spacehero worm" hits 1,000,000+ MySpace users in less than 20 hours back in 2005 and then again.

In 2006 "The Yamanner worm" infested Yahoo Mail and managed to capture thousands email addresses and uploaded them to a still unidentified Web site.

Provided that the problem wasn't that Yahoo or MySpace staff is incompetent:

"The problem isn't that Yahoo is incompetent. The problem is that filtering JavaScript to make it safe is very, very hard," said David Wagner, assistant professor of computer science at the University of California at Berkeley

It's for sure just a matter of time before Google or Microsoft Ajax based applications will be hacked, not to mention vendors with less experienced developers driving to Ajax by the hype and widely leveraging "cut and paste” coding technique.

"JavaScript was dangerous before Ajax came around," noted Billy Hoffman, lead R&D researcher at SPI Dynamics Inc., a computer security firm. With the addition of Ajax functionality in many other Web applications, the problem is going to get worse before it gets better, he said.

Pessimistic summary, but what would you expect in a "Worse is Better" world?


Dimitre Novatchev is blogging

Congratulations to all XSLT geeks - Dimitre Novatchev, XSLT extraordinaire is blogging! Whoha! Subscribed.


Ward Cunningham: Wiki is the original Web 2.0 application

Ward Cunningham: "Wiki is the original Web 2.0 application."

Read the Ward Cunningham talking on "Wikis, Patterns, Mashups and More". Interestng one.