Businesses Ignoring AJAX Security Gaps

While traditional applications have only a handful of inputs, AJAX expands the attack surface and gives direct access to APIs, which paves the way for new types of attacks using malformed commands, Billy Hoffman, lead R&D engineer at Atlanta-based SPI Dynamics, said in a presentation at the conference. That's fueling the rising number of attacks on the application layer, including cross-site scripting (XSS) and SQL vulnerabilities, he noted.

"We're seeing so much at the Web level -- it's ridiculous," Hoffman said.

AJAX's popularity has led to a surge in software that "Ajaxifies" Web sites, and those applications can allow hackers to talk directly to Web services and easily gain the necessary insight to attack them, according to Hoffman. And with direct API access, hackers can call back-end application functions directly and alter the normal sequence of functions and trigger denial-of-service attacks.

"AJAX exposes how your application functions, giving an attacker a blueprint for how the application functions normally," Hoffman said.

The programming tactic of obfuscation is ineffective because reversing and parsing JavaScript code is simple, he said, explaining that all attackers need to do is look at what the client code does with the code on the server and see how they interact. "You can't protect anything you give to the client," he said.

Particularly dangerous is the XML HTTP request object, which lets JavaScript make HTTP requests on the user's behalf. Because the server can't discern AJAX requests from browser requests without using two-factor authentication, hackers could exploit JavaScript to gain access to a cookie with a user's login credentials, according to Hoffman.

AJAX also amplifies the damage of XSS, where JavaScript is injected into a Web page that's returned to the user's browser and then executed by the browser. With AJAX, Hoffman noted, XSS can make malicious requests with a user's credentials, and the two technologies can actively hunt for specific information.

Working together, XSS and AJAX also can self-propagate, making their damage potential even greater. The October 2005 Myspace virus used AJAX and XSS to inject a virus into the user profile of anyone who viewed an infected page, Hoffman said. And eight months later, the Yamanner worm used AJAX to send infected e-mail to Yahoo mail users and was set up to steal entire address books, he added.