For the most part AJAX does not significantly increase the security vulnerabilities in most web applications. However, javascript, XML and asynchronous server calls do have potential holes if not properly implemented. If you’re an application developer or security professional there are things to watch out for with AJAX applications. If you’re new to AJAX there are many hazards to watch out for, and tutorials and examples are one of the worst culprits for security vulnerabilities. Before you start downloading examples and making them live on your server you should learn a bit about security first. Below, you’ll find a list of tutorials, examples, and articles that will detail many of the security implications of using AJAX..
As always special thanks to all of the hard work done by the developers and security professionals who have taken there time to make all of this great information publicly accessible. Also if you know of other great resources or tutorials pertaining to AJAX please use my comments section on this article to add to the overall list. Thanks!
Ajax and Information Security
Ajax is a relatively new technology for security engineers to attempt to protect. Since the adoption rate of Ajax is starting to get bigger, security personnel should start looking at the technology now to see how best to protect the company in regards to using the new technology. Of course all the standard web application security structures should still be in place, but if the development or business teams wants to use Ajax, it brings along its own special issues along the way that security personnel need to know about.
AJAX and Secure Web Communications
Imagine, if you will, combining the Ajax model as articulated by Garrett with maturing XML security standards in order to meet ever increasing security and privacy needs. With encryption and signature services, and key management and/or client side authentication services embedded in the Ajax Engine layer, combined with identity management and access control on the server side, one can envision a powerful new class of secure web communications. And authentication could be handled through a PKI-based mechanism, kerberos, or something else.
Ajax Security: Container Managed Security
Ajax – Asynchronous JavaScript and XML clearly is in the focus of software development. Strongly associated with the new Web 2.0 term, Ajax today is everbody’s darling. Inspired by the promise and the developer uptake of Ajax, I thought on doing a reality check on one of my favorite pets: container managed security, authentication in particular. There are a couple of issues that just don’t work well with container managed security
AJAX: Is your application secure
Some web-enabled applications, such as for email, do have pretty destructive functionality that could possibly be abused. The question is will the average AJAX-enabled web-application be able to tell the difference between a real and a faked XmlHttpRequest?
Ajax Mistakes
Ajax is an awesome technology that is driving a new generation of web apps, from maps.google.com to colr.org to backpackit.com. But Ajax is also a dangerous technology for web developers, its power introduces a huge amount of UI problems as well as server side state problems and server load problems.
AJAX Security Basics
Ajax is considered the next step in a progression towards the trumpeted, “Web 2.0.” The purpose of this article is to introduce some of the security implications with modern Ajax web technologies. Though Ajax applications can be more difficult to test, security professionals already have most of relevant approaches and tools needed.
AJAX Security
Web developers cannot have failed to notice the excitement surrounding AJAX or Asynchronous JavaScript And XML. The ability to create intelligent web sites such as Google Suggest or compelling web-based applications such as Gmail is thanks in no small part to this technology. There is, however, a darker side – and accompanying the growth in AJAX applications we have noticed an equally significant growth in security flaws, with the potential to turn AJAX-enabled sites into a time bomb.
AJAX Security Threats and Performance Challenges
Forum Systems has issued an alert for AJAX-related security threats and performance issues. AJAX transforms a user’s Web browser into a Web services portal, thus exposing it to potentially corrupted data that can cause the browser to crash or perform poorly; malformed messages can disrupt server performance due to excessive parsing and exception handling.
Cenzic Extends Support for AJAX Security Assesment Applications
Cenzic announced that its automated vulnerability assessment solutions now offer full support for testing Web applications built using AJAX (Asynchronous JavaScript and XML) software development technology. AJAX support in Cenzic Hailstorm and ClickToSecure enables customers to take advantage of this application development technique to develop smoother, more responsive and intuitive applications without the associated vulnerabilities which have left AJAX-based applications increasingly susceptible to security threats.
Cross-Domain Ajax. Security Implications in Depth
Some people think we should remove the “same-domain” restriction from Ajax calls, and Eric Pascarello and xml.com (amongst others) don’t. I don’t think we’ve got to the bottom of the debate yet.
Cross-site scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which can be used by an attacker to compromise the same origin policy of client-side scripting languages.
Day-to-Day: Ajax Security
It’s hard to talk about Ajax without talking about security. Or more precisely, just about every customer who wants to talk seriously about using Ajax wants to talk about security.
Debunking Strong Misconceptions About Cross-Domain Ajax Security Issues
Quite a number of people have been discussing possible cross-domain Ajax security issues recently. These are smart people that generally know their technologies very well, but for some reason are missing some fundamental aspects about Ajax.
Eric Pascarello dissects Ajax security vulnerabilities
When people look at Ajax they see this XMLHttpRequest object performing magic on a Web page and they think that this can lead to major security flaws. When we do a simple view source on the page, we see the page we are calling, the parameters that are being sent. Anyone with any basic knowledge of JavaScript can easily inject scripts onto the page and change the request object to send other data. So yes, it is open to attack, but it is not anything to be afraid of.
Google, MSN, Flickr… struck by security hole
Tens of thousands of companies including AOL, Google, Microsoft and Yahoo are likely to be affected by the flaw in CPAINT – a toolkit used to create applications using an approach known as AJAX – short for Asynchronous JavaScript and XML. Rather than a technology in itself, AJAX is an approach to putting more dynamic interactivity into Web applications using a combination of HTML, CSS, Document Object Model, JavaScript, and XMLHttpRequest.
Informal Thoughts on AJAX and Security
I’ll be the first to tell you: AJAX does NOT substantially change the typical web application security audit methodology. However, if you are a developer or a security professional, there are a few issues to consider and watch out for. The following is a list of thoughts I created for my own use, but I’d like to share it with you. Note that it is draft, and a work in progress.
JavaScript Security
JavaScript has a long and inglorious history of atrocious security holes. Its security problems are not limited to implementation errors. There are numerous ways in which scripts can affect the user’s execution environment without violating any security policies.
OWASP AJAX Security Project
The OWASP AJAX Security project is in the process of being formed. We are seeking a leader (or leaders) for the project develop the OWASP AJAX Security Project Roadmap and identify the first tasks.
SAJA – Secure Ajax For PHP
Saja is a lightweight, open-source AJAX scripting engine for PHP, with optional secured function calls. It is designed for the speedy creation of simple, intuitive, and maintainable AJAX applications, without the need to write any JavaScript.
Security in an AJAX World
If data is more openly available as XML over HTTP, it’s going to be pretty damn easy for a smart hacker to get access to that data to make applications like this impressive example… which is great, but undoubtedly someone eventually will feel like their data is being “stolen” or “misused”.
Sprajax An Open Source Security Scanner for AJAX
Sprajax is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities. Denim Group, an IT consultancy specializing in web application security, recognized that there were no tools available on the market able to scan AJAX. AJAX allows web-based applications a higher degree of user-interactivity, a feature with growing popularity among developers.
Using AJAX for Image Passwords – AJAX Security
Using a mouse movement login, in addition to a regular text password, will increase security being another dimensional input. Although keyboard sniffers could fairly easily start logging your mouse movements (I’m sure some already do), the amount of data needed to be stored is orders of magnitude more than regular text passwords.
Using the XMLHttpRequest Object and AJAX to Spy On You
Just imagine, for the purposes of an example, that you drop your new iPod on the ground and it stops working. Hoping to get a free replacement, you write an e-mail to Apple support that says: “I just bought a brand new iPod. I dropped it down a set of stairs. It stopped working.” You then decide to delete the second sentence to help your cause. TOO LATE! If the site uses AJAX, your response may already have been zapped to the complaint desk in the sky!
Web Apps Compromised by Security Hole
Security vulnerabilities have been discovered in a widespread Web service protocol which could allow an attacker to take control of a vulnerable server. The holes, found in XML-RPC For PHP and PEAR XML_RPC, affect a large number of Web applications, according to an advisory from GulfTech, which discovered the flaws.
Additional comments powered by BackType