Welcome!

RIA News Desk

Subscribe to RIA News Desk: eMailAlertsEmail Alerts
Get RIA News Desk via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: RIA Developer's Journal

RIA & Ajax: Article

How to Prevent Security Vulnerabilites in AJAX

To the security professional AJAX makes life difficult by increasing the attack surface of Web applications

Billy Hoffman will deliver a session at the upcoming AJAXWorld Conference & Expo, October 2-4, 2006, in Santa Clara, California, on the hot topic of AJAX and Security. His session is entitled "How to Prevent Security Vulnerabilites in AJAX."

AJAX can mean different things to different people. To a user, AJAX means smooth Web applications like Google Maps or Outlook Web Access. To a developer, AJAX provides methods to enrich a user's experience with a Web application by reducing latency and offloading complex tasks on the client. To an information architect, AJAX means fundamentally changing the design of Web applications so they span both client and server. To the security professional, AJAX makes life difficult by increasing the attack surface of Web applications and exposing internal logic layers to the entire network. With 70% of attacks coming through the application layer, AJAX makes the job of securing web applications that much harder. This presentation will comprehensively discuss the fundamental security issues of AJAX. These include browser/server interact issues, application design issues, vulnerabilities in work-arounds like AJAX bridges, and how the hype surrounding Web 2.0 applications is making things worse. Specifically we will examine the different attack methodologies used against AJAX applications, how AJAX increases the danger of XSS attacks, the dangers of exposing your application logic layer to the network, how bridges can be used to exploit 3rd party sites, and more . Finally we discuss how to properly design an AJAX application to avoid these security issues and demonstrate methods to secure existing applications.

Speaker Bio: Billy Hoffman is a lead security researcher for SPI Dynamics (www.spidynamics.com). At SPI Dynamics, Billy focuses on automated discovery of Web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, The 5th Hope, and several other conferences. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included reverse engineering law and techniques, ATMs, XM Radio and magstripe projects. In addition, Billy is a reviewer of white papers for the Web Application Security Consortium (WASC), and is a creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects and writes articles under the handle Acidus.

More Stories By RIA News Desk

Ever since Google popularized a smarter, more responsive and interactive Web experience by using AJAX (Asynchronous JavaScript + XML) for its Google Maps & Gmail applications, SYS-CON's RIA News Desk has been covering every aspect of Rich Internet Applications and those creating and deploying them. If you have breaking RIA news, please send it to RIA@sys-con.com to share your product and company news coverage with AJAXWorld readers.

Comments (4) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
n d 09/10/06 11:22:51 AM EDT

AJAX can mean different things to different people. To a user, AJAX means smooth Web applications like Google Maps or Outlook Web Access. To a developer, AJAX provides methods to enrich a user's experience with a Web application by reducing latency and offloading complex tasks on the client. To an information architect, AJAX means fundamentally changing the design of Web applications so they span both client and server. To the security professional, AJAX makes life difficult by increasing the attack surface of Web applications and exposing internal logic layers to the entire network.

n d 09/10/06 11:04:32 AM EDT

AJAX can mean different things to different people. To a user, AJAX means smooth Web applications like Google Maps or Outlook Web Access. To a developer, AJAX provides methods to enrich a user's experience with a Web application by reducing latency and offloading complex tasks on the client. To an information architect, AJAX means fundamentally changing the design of Web applications so they span both client and server. To the security professional, AJAX makes life difficult by increasing the attack surface of Web applications and exposing internal logic layers to the entire network.

n d 09/10/06 11:04:21 AM EDT

AJAX can mean different things to different people. To a user, AJAX means smooth Web applications like Google Maps or Outlook Web Access. To a developer, AJAX provides methods to enrich a user's experience with a Web application by reducing latency and offloading complex tasks on the client. To an information architect, AJAX means fundamentally changing the design of Web applications so they span both client and server. To the security professional, AJAX makes life difficult by increasing the attack surface of Web applications and exposing internal logic layers to the entire network.

AJAXWorld News Desk 08/04/06 03:24:28 PM EDT

AJAX can mean different things to different people. To a user, AJAX means smooth Web applications like Google Maps or Outlook Web Access. To a developer, AJAX provides methods to enrich a user's experience with a Web application by reducing latency and offloading complex tasks on the client. To an information architect, AJAX means fundamentally changing the design of Web applications so they span both client and server. To the security professional, AJAX makes life difficult by increasing the attack surface of Web applications and exposing internal logic layers to the entire network.