I'm out here in beautiful New York City with some good friends elbow-deep in Web Application Security topics, but of course I won't be neglecting you readers who so graciously passed in your questions from the Ottawa and Montreal workshops. To kick it off, I'll address the question about AJAX technologies and what it means for web application security overall.
First off, AJAX is not fundamentally different than what your applications are doing now. The main difference comes in with the vast difference in the usage of those technologies. JavaScript becomes asynchronous [def: Communication in which interaction between parties does not take place simultaneously] and odds are you're going to expose a much greater attack surface overall when you move to AJAX-based applications. Whereas your old applications hid many of the methods and views behind the application server veil, AJAX pushes those interfaces and exposes APIs for the world to see and hack at. Again, things aren't necessarily different - they're just more exposed.
AJAX changes the game a little because there are things like JASON notation objects, xmlhttp request objects which happen without the user's interaction and new data structures and application interfaces which are now all of the sudden public ('ish).
You see, AJAX doesn't introduce any "new" vulnerabilities... it simply takes the things that are already wrong and massively amplisies them.
Good luck!
Posted
09-25-2008 4:03 AM
by
RafalLos