The presence of AJAX code in Web applications continues to grow at a rapid pace, but many of the programs built using the language remain extremely vulnerable to various forms of attack, according to researchers with applications testing specialists SPI Dynamics.
Presenting at the Black Hat 2007 security conference in Las Vegas, Billy Hoffman, lead researcher in SPI's Labs group, and Bryan Sullivan, one of the Atlanta-based company's senior research engineers, detailed a number of methods through which they said many common AJAX applications can be targeted by malicious hackers.
Hoffman, who presented on potential AJAX security concerns at last year's Black Hat show to illustrate some of the attack vectors that can be introduced via use of the language, said that this year's presentation was aimed at proving just how easy it is to manipulate live applications built with the development tools.
To illustrate just how AJAX applications can be victimized, the researchers built a fictional travel site called HackerVacations.com utilizing programming tips offered by popular developer resources, both Web sites and printed manuals, which they used to demonstrate their attacks to the Black Hat audience.
Following the advice offered by mainstream AJAX resources, the SPI experts maintain that the fictional site and its many functions, including its airline flight reservation and payment processing systems, could be compromised easily.
"Using AJAX you're essentially creating a system whereby raw results are handed over to the client and allow the client logic to take over. In one way I can see how people like that because of the ability to scale the application, but the problem is that this creates a huge security hole," Sullivan said.
"It makes it easier for hackers to exploit any security issues by an order of magnitude compared to more traditional Web applications," he said. "What once took a lot of work to find a way to exploit the application can now be completed in one or two steps."
The SPI researchers demonstrated a number of potential attacks that can be carried out against AJAX-bred programs such as their travel site, including DoS threats, so-called client-side pricing schemes -- whereby they reduced the price of tickets on the URL -- and hacks into backend databases supporting such e-commerce applications.
Hoffman said that when he recently attended an AJAX-related development conference to offer his security observations, he was appalled by the programming advice offered in the printed materials being distributed by show organizers.
On many pages of the handouts, there were flagrant security flaws being espoused as practical development techniques, he said.