Speaking at the ongoing ShmooCon hacker convention on March 24, Billy Hoffman, lead research engineer at Atlanta-based software maker SPI Dynamics, detailed what he views as an epidemic problem in today's online world. SPI markets penetration testing tools used by businesses to ferret out security issues from their online sites and applications.
The issue was reported in security forums several months ago, and sent to CNN by researchers, but it still hasn't been fixed, Hoffman said.
Malicious-code writers are using the same techniques to create cross-site scripting threats -- malware attacks that inject code into end-users' browsers via holes in legitimate sites -- to mislead consumers into handing over their passwords and giving hackers access to their personal information, according to the researcher.
In the case of AJAX-bred Web tools -- which communicate information between backend servers and online applications without direct interaction from an end user -- malware authors have found a powerful technology for spreading their work and making off with valuable end-user data, without as much danger of being caught.
The only way to improve the situation is for site operators to undertake more comprehensive efforts to rid their pages of the problems, said Hoffman, and for them to slow down adoption of newer languages, such as AJAX, which appear to outstrip many Web developers' security skills.
One of the newer wrinkles of AJAX-based attacks is the ability to create XSS threats that are self-propagating, according to Hoffman. Whereas the threats were traditionally designed to sit on only one URL and infect people who visited its location, the attacks can now be linked to Web crawling tools to find other pages that may be exploitable, specifically other sites within the same online domains.
Using such an approach, an attacker could infiltrate businesses' corporate intranets via their public Web sites and gain access to sensitive organizational data, Hoffman said.
Hoffman also demonstrated a new Web-based vulnerability scanning tool he has designed and dubbed Jikto, which uses AJAX to crawl Web sites and online applications for holes, and can be dropped into other people's browsers to use them as unknowing sources for gathering such information.