LAS VEGAS—AJAX technology is rapidly being adopted by online businesses to help boost the interactivity of their Web sites, but a long list of potential vulnerabilities introduced by inexperienced programmers could create a troubling security landscape for Web 2.0 technologies.
For instance, the technology can allow a Webmail site to automatically download messages into a users inbox without requiring the individual to refresh their browser screen. Well-known sites such as Google Maps, Yahoo and MySpace already employ AJAX tools in a number of ways.
Hoffman maintains that the current push by businesses to add AJAX tools to improve their sites and Web applications could create a slew of serious vulnerabilities, as inexperienced developers fail to properly protect their work and attackers learn to use the benefits of AJAX to their advantage.
“AJAX applications have a huge attack surface, much larger than traditional applications,” Hoffman said. “And the buzz around AJAX is creating immense security implications, as the available knowledge bases and types of resources available for developers are poor.”
As more programmers begin to work with AJAX, there will be an opportunity for hackers to launch a range of serious threats against sites with insufficient defenses in place, according to Hoffman.
The Yamanner virus that struck Yahoos Webmail system and the Samy worm attack that targeted users of the popular MySpace social networking site reflect the types of attacks that Hoffman said he believes will be more prevalent in the years to come as AJAX becomes more pervasive.
Whereas the data used in more traditional Web applications exists largely on back-end servers, AJAX extends programs across both the client device and the server, creating far more opportunities for hackers to deliver malware onto sites. While a traditional online form requires users to hit submit to transmit all of their information to a Web site, creating a single communication that could be targeted by malware programs, an AJAX-enabled form that automatically relays the data from each field as data is entered will launch multiple transmissions that virus writers can latch into, Hoffman said.
By exploiting shortcomings in AJAX programmers work, hackers may also be able to gain access to Web applications themselves and wreak havoc with online businesses.
“Now [an attacker] is inside your application and can create a pipeline that allows them to see all the function names, variables and parameters of your site,” Hoffman said.
AJAX could also serve to amplify the potential of so-called cross-site scripting attacks, which seek to inject code onto legitimate Web sites in order to mislead users and steal their information. So-called screen-scraping attacks and Web session hijacking attempts, both of which also seek to steal users data, could also be performed more easily by taking advantage of AJAX. By allowing attackers to utilize the behind-the-scenes nature of the technology to escalate their threats by requesting multiple streams of data from sites, outsiders could garner even greater levels of information, Hoffman said.
“AJAX is already present in every modern browser, and it has nothing to do with the Web server, thats part of the reason its so bad,” he said. “Even though AJAX says youre only allowed to talk back to a host, thats still a problem, as it can be used to amplify scripting on a site; short of two-factor authentication, it can get through any log-in sequence.”
Hoffman directly criticized publishers of AJAX development manuals, who he said are adding to the problem by failing to warn programmers how to protect their work adequately. Inexperienced AJAX programmers use of widely available AJAX code in their own programs, a common practice, will create even more problems, he said.
Black Hat attendees appeared impressed by the presentation, which included an example of an AJAX attack Hoffman discovered in the wild that targets Microsofts Atlas development tool kit.
Andrew van der Stock, a security architect at National Australia Bank, based in Melbourne, Australia, said the threats posed by improper use of AJAX likely wont discourage companies from aggressively adopting the technology until major attacks take down popular Web sites and businesses come to understand the potential impact on their bottom lines.
“It will take a number of serious worm attacks on big sites for people to get the message. Customers love AJAX so theres a lot of demand right now,” van der Stock said. “Adoption wont slow down and most AJAX developers dont know anything about security.”
Other attendees observed that it will take time for awareness of AJAX security issues to become more widely recognized, but said most of the issues touched upon in the session could be easily eliminated once discovered.
“Programming over the Web will require due diligence, but the fixes are fairly simple and easily analyzed,” said Chris Hoffman, director of special projects for browser maker Mozilla, in Mountain View, Calif. “The delivery mechanism for fixing the problems is also much faster than client software, and there are other security advantages to AJAX as well.”