Welcome!

RIA News Desk

Subscribe to RIA News Desk: eMailAlertsEmail Alerts
Get RIA News Desk via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: RIA Developer's Journal

RIA & Ajax: Article

How Hackers Break Into AJAX Applications

Unfortunately, far too many people rush into AJAX development without giving proper consideration to security issues

AJAXWorld Conference & Expo 2007 West will present a "Security" session by Billy Hoffman entitled "How Hackers Break Into AJAX Application."

Interest in AJAX is sky-high and only continues to grow. Unfortunately, far too many people rush into AJAX development without giving proper consideration to security issues. Sure people talk in the abstract about an “increased attack surface” or “leaking secrets” but how securely are people developing AJAX apps? We will present a sample travel website we built using design patterns, advice and code samples from respected resources in the AJAX communities. Next we will show you how we tear the application to shreds, booking ourselves free flights, accessing coupon codes, hijacking the administration functions and stealing everyone’s account information. We do all this using flaws that popular AJAX resource ignore or only mention in passing such as: Improper use of client-side XSLT; Use of overly- or underly-granular server-side APIs; and storing secrets (either data or functionality) in client-side code; exploiting Ajax race conditions, and Applying static analysis to deobfuscate client-side JavaScript. Given the popularity of AJAX and the ease of use of framework helper libraries, it can be very tempting for developers to use Ajax when it's not really necessary. This is a significant security risk in itself, since AJAX applications can be more difficult to secure than traditional Web applications. Furthermore, the use of third-party frameworks can actually make the problem worse, since they hide potential security issues without truly resolving them. We will address these issues, make recommendations on which Ajax frameworks to avoid, and make recommendations on when to avoid AJAX altogether. Following the design and implementation guidelines set out in this presentation will help you to delay your AJAX gratification to provide the highest level of security satisfaction for you and your partners.

Speaker Bio: Billy Hoffman is a lead security researcher for SPI Dynamics (www.spidynamics.com). At SPI Dynamics, Billy focuses on automated discovery of Web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, The 5th Hope, and several other conferences. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Topics have included reverse engineering law and techniques, ATMs, XM Radio and magstripe projects. In addition, Billy is a reviewer of white papers for the Web Application Security Consortium (WASC), and is a creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects and writes articles under the handle Acidus.

More Stories By RIA News Desk

Ever since Google popularized a smarter, more responsive and interactive Web experience by using AJAX (Asynchronous JavaScript + XML) for its Google Maps & Gmail applications, SYS-CON's RIA News Desk has been covering every aspect of Rich Internet Applications and those creating and deploying them. If you have breaking RIA news, please send it to RIA@sys-con.com to share your product and company news coverage with AJAXWorld readers.

Comments (1)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.