Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Say Ajax Not Inherently Insecure

Posted by Zonk on from the good-to-know dept.

An anonymous reader writes "Jeremiah Grossman (CTO of WhiteHat Security) has published Myth-Busting - an article dismissing the hyped-up claims that AJAX is insecure. He says: 'The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true ... Word on the cyber-street is that AJAX is the harbinger of larger attack surfaces, increased complexity, fake requests, denial of service, deadly cross-site scripting (XSS) , reliance on client-side security, and more. In reality, these issues existed well before AJAX. And, the recommended security best practices remain unchanged.'"

14 of 82 comments (clear)

  1. Strawman by markov_chain · · Score: 2, Interesting

    Way to make up an issue and then show off attacking it.

    --
    Tsunami -- You can't bring a good wave down!
  2. Vulnerability in practice is just as bad or worse by ScentCone · · Score: 5, Insightful

    When something is this widely adopted and this tempting to rapidly trot out (because PHBs are desparate for that shiny stuff as they head to the next board meeting), the fact that you're suddenly introducing a wildly more complex set of GETs and POSTs and layered hoo-hah on an interactive page (never mind the purpose of the app) means that all of the stuff that always introduces vulnerabilities will be there, multiplied by the new complexity. And, of course, with a smaller crowd of talented, experienced people truly able to quickly size up the risks as something goes live.

    It's not the (non-existent?) inherent security problems in the bundle of techniques we're referring to, it's the weaknesses that show up in the practice of shoddy implementation, cheezy hosting platforms, etc. There's nothing wrong with AJAX, it's the AJAX-envy among less sophisticated operators that we have to worry about. We just have to quit saying it's 'easy' to implement, because none of the underlying bits and pieces are (in terms of being bullet-proof) are 'easy,' and a browser-agnostic soup of a couple dozen of those bits is that many times harder.

    --
    Don't disappoint your bird dog. Go to the range.
  3. Existing Best Practices by Anonymous Coward · · Score: 2, Insightful

    Yup, existing best practices takes care of all of the security issues for AJAX: disable Javascript. Problem solved.

    With open-source, you can examine the source before you run the program, and can take steps to ensure that the program you run is compiled from the source you examined and that it's unchanged since the last time you ran the program. There's no good way to do the same thing with Javascript ... you're expected to nod agreeably when the website says "just trust us".

    "Not trusting someone who /demands/ that you trust them without evidence" should be the #1 best practice out there.

  4. Where the heck did this hype come from? by Anonymous Coward · · Score: 3, Insightful

    And who is honestly saying these things? Am I alone in not seeing the percieved risks here?

    All AJAX really gives you is that first 'A': asynchronous. All the other underlying mechanics of client-to-server communications over HTTP apply. This means that your security checklist is absolutely no different than using a good old-fashioned [form].

    To slam AJAX as insecure as a technology is just bad thinking to begin with - it's a tool, that's all. Whether or not it's used in a secure fashion is really more a best-practice and/or training issue.

    Besides, didn't we already go over all this when Web-Services were a big deal?

  5. That article was a mixed bag by Beryllium+Sphere(tm) · · Score: 3, Interesting

    There's some justice in saying that Ajax doesn't introduce any new problems over and above Javascript, but that is faint praise and doesn't allow for the fact that buzzword-compliant organizations are now creating more web sites that require Javascript.

    His advice about keeping web apps secure is sound and practical but incomplete. The last OWASP conference I went to, one of the speakers pointed out that there's an Ajax development toolkit out there in which you can't tell a priori whether a piece of functionality you program will end up on the client or on the server. "Avoid toolkits like that" should be on the list of security precautions.

    >AJAX is a web browser (client-side) technology. It does not execute on the server.

    The XMLHttpRequest certainly does execute on the server and allows a range of parser attacks that you were less likely to get with other technologies. Which would you rather validate, a set of CGI parameters or a blob of XML?

    1. Re:That article was a mixed bag by PacoSuarez · · Score: 2, Informative

      The XMLHttpRequest certainly does execute on the server and allows a range of parser attacks that you were less likely to get with other technologies. Which would you rather validate, a set of CGI parameters or a blob of XML? The XMLHttpRequest looks to the server just like any other HTTP request, with parameters passed the exact same way as you would pass them to a CGI program. The only side that needs to parse a bunch of XML is the client, which is not much of a security problem.
    2. Re:That article was a mixed bag by leighklotz · · Score: 2, Insightful

      >Which would you rather validate, a set of CGI parameters or a blob of XML?
      Um, a blob of XML. Quoting and escape characters are a big source of vulnerabilities. XML has well-defined quoting rules. CGI parameters have no structure, so structure must be done ad hoc. XML structure can be validated on the server using XML Schema or Relax, or other mechanisms.

  6. Re:Best security practices by nine-times · · Score: 2, Interesting

    Is javascript really that horrible? I know it can be used in annoying ways, how difficult is it to do something outside of superficial changes to the browser?

    I'm really asking. It seems like you should be able to have a simple scripting language that can only really manipulate superficial aspects of web pages without any real increase to the security risk. I thought this was what javascript was. Am I wrong? If so, why doesn't someone replace javascript with something better.

  7. Fortran in Haskell by Fahrenheit+450 · · Score: 3, Interesting

    This appears to be yet another case of, "You can write Fortran in any language" where the author ignores that some technologies make it much easier to write Fortran than others. Obviously with a number of things you can avoid the bad stuff by avoiding the bad stuff -- but when bad stuff is the default mode of operation, rather than the odd, explicit corner case then yes... there's an issue.

    Put another way, it's a lot easier to not write Fortran in Haskell than it is in C.

    --
    -30-
  8. Re:Best security practices by Ingolfke · · Score: 4, Funny

    Downloading the HTML via WGET and reading it VI is the only secure way to surf the net.

  9. Re:Best security practices by owlnation · · Score: 2, Insightful
    Best security practice has always been to turn off ActiveX, Javascript, Flash, and any other means by which untrusted executable content is automatically downloaded to one's machine and then automatically executed.
    Of course that is true. It's just that it's a real pain in the ass. Well, no mortal being requires ActiveX for any reason, and I block the horror that is Flash with the (truly joyous and wonderful) Flashblock extension - and rarely ever allow it to run, mostly just for YouTube.

    It's the Javascrpt that's the pain really. I tried using the noscript extension for a while, but it was actually more of an inconvenience than the risk of running something malicious. Seems that a very high number of webpages - and the most improbable ones too - use javascript and are dysfunctional if you disallow it. I'm not sure how to win with this - a little risk for a higher quality of web browsing? It's what I do, but not what I want.
  10. Re:Best security practices by nine-times · · Score: 3, Insightful

    Sites should function without script for accessibility and only the bad guys would stand to lose from a more realistic approach to security by browser vendors.

    When you can write a new version of Google's spreadsheet program that uses only HTML and CSS, I'll go along with the idea that we should get rid of javascript.

  11. deadly cross-site scripting by gad_zuki! · · Score: 2, Insightful

    I swear officer, he was alive a minute ago. He was just sitting in front of his PC trying to check his bank balance!

  12. Re:Gmail vs. Outlook Web Access by jascat · · Score: 2, Interesting

    It amazes me how people have such a false understanding of what exactly "AJAX" is. People talk about how complicated it is, which leads to insecurity. You're making requests and passing information back to the server via GET or POST. The only difference from the "traditional" way is that rather than visiting a different page, or having a self-processing page, you're having Javascript handle the sending and updating of a portion of the page. When you look at it from this perspective, you could potentially see a gain in server side security because you could build in input validation at the client side and at the server side. In theory, you could do some small scale protection of the client by incorporating validation at the client side for what gets returned to the Javascript. It all depends on how thorough you want to make it. Laziness is going to get you anytime you are dealing with user interaction, no matter what the platform is.