Black Hat: Security researchers exercise AJAX attacks

Experts say attacks are made easy by a lack of expertise among developers working with the AJAX language

The presence of AJAX code in Web applications continues to grow at a rapid pace, but many of the programs built using the language remain extremely vulnerable to various forms of attack, according to researchers with applications testing specialists SPI Dynamics.

Presenting at the Black Hat 2007 security conference in Las Vegas, Billy Hoffman, lead researcher in SPI's Labs group, and Bryan Sullivan, one of the Atlanta-based company's senior research engineers, detailed a number of methods through which they said many common AJAX applications can be targeted by malicious hackers.

Hoffman, who presented on potential AJAX security concerns at last year's Black Hat show to illustrate some of the attack vectors that can be introduced via use of the language, said that this year's presentation was aimed at proving just how easy it is to manipulate live applications built with the development tools.

Identified as a so-called Web 2.0 programming language, which melds Asynchronous JavaScript and XML to boost the interactivity of Web sites, AJAX has become widely employed among many different types of sites -- including online applications made by major companies such as Google and Yahoo -- but many developers working with the language remain unaware of its security implications, the researchers said.

To illustrate just how AJAX applications can be victimized, the researchers built a fictional travel site called utilizing programming tips offered by popular developer resources, both Web sites and printed manuals, which they used to demonstrate their attacks to the Black Hat audience.

Following the advice offered by mainstream AJAX resources, the SPI experts maintain that the fictional site and its many functions, including its airline flight reservation and payment processing systems, could be compromised easily.

"Using AJAX you're essentially creating a system whereby raw results are handed over to the client and allow the client logic to take over. In one way I can see how people like that because of the ability to scale the application, but the problem is that this creates a huge security hole," Sullivan said.

"It makes it easier for hackers to exploit any security issues by an order of magnitude compared to more traditional Web applications," he said. "What once took a lot of work to find a way to exploit the application can now be completed in one or two steps."

The SPI researchers demonstrated a number of potential attacks that can be carried out against AJAX-bred programs such as their travel site, including DoS threats, so-called client-side pricing schemes -- whereby they reduced the price of tickets on the URL -- and hacks into backend databases supporting such e-commerce applications.

Hoffman said that when he recently attended an AJAX-related development conference to offer his security observations, he was appalled by the programming advice offered in the printed materials being distributed by show organizers.

On many pages of the handouts, there were flagrant security flaws being espoused as practical development techniques, he said.

As many business have moved to blend AJAX into older Web applications or asked their programmers to begin working with the language, the lack of experience in securing AJAX, or writing the code altogether, has become startlingly clear, according to the expert, whose company was recently purchased by Hewlett-Packard.

"When you have a dumb terminal like a traditional browser handling AJAX, you can throw in all sorts of dummy data in and get back verbose error responses that give away information on local file systems," Hoffman said. "These aren't the sort of things that will bubble up in typical quality assurance tests; developers are just starting to become more aware of how they need to approach security for traditional Web applications. With AJAX it becomes much more sophisticated to even identify these problems."

The researcher said that the AJAX security issue is far worse than it was even one year ago because so many more sites have added the code to their applications. Online behemoths including Google, MySpace, and Yahoo have already identified major AJAX-oriented weaknesses in their sites.

For smaller companies with fewer resources, fixing the issues won't be as easily pulled off as it has been by the larger Web applications firms, he said.

The SPI researchers offered some advice to companies who use AJAX on to how to best protect themselves, such as applying authentication tools for every request the applications carry out or fixing software vulnerabilities themselves so that AJAX can't be used to access the flaws. But the best advice is to use extreme caution whenever applying the language, they said.

"As a last resort you want to consider abstinence from AJAX -- only use it when absolutely necessary, not just because you can," Sullivan said. "If you're updating 80 to 90 percent of your pages in AJAX, that's probably not a good idea."

Despite the SPI experts' warnings, some security researchers maintain that AJAX is not really the underlying issue at hand and that the technology is just another vehicle that can be used to exploit common vulnerabilities such as SQL injections that can be delivered in many other formats.

Respected security researcher Robert Hansen, better known by his screen name "RSnake," said that blaming AJAX for the issues doesn't make much sense, despite the viability of the attacks that the SPI experts demonstrated.

"There isn't any vulnerability in AJAX that's to blame. These are attacks that could be successfully carried out on almost any type of Web application," Hansen said. "AJAX has certainly had the effect of making it harder for testers to assess the security of applications, but AJAX doesn't really change anything in terms of the degree of vulnerability; it's just another avenue that's being made available to attackers."