Skip to navigation
   
Davey Winder's Blog
RSS

Premature Ajax-ulation

By Davey Winder in Editorial

Posted in Ajax on August 5, 2007 at 2:32 pm

Permalink | Author Profile

The Blackhat security conference in Las Vegas has come up trumps in the bad puns but good advice stakes, with SPI Labs warning business about the dangers of premature Ajax-ulation.
What researchers Bryan Sullivan and Billy Hoffman were actually referring to was the threat of web developers relying too much upon their urge to use Ajax techniques. Techniques, the researchers claim, that can force far too much business logic over to the client side and as a result enable user manipulation leading to security breaches.

Demonstrating their logic with the use of SQl and XPath injection exploits, the pair built a travel site which could be easily hacked to trick the system into not only blocking the sale of tickets for any given flight, but also to reduce the cost of the tickets being purchased. Sounds good to me, cheap tickets and an empty plane! Probably wouldn’t sound so good to the travel agent if it had been a genuine site though.

The whole area of web application security is something that needs to be taken much more seriously than it would appear to be at the moment, as more and more companies seek to get that competitive edge by leveraging Ajax technologies. A dynamic web is a great thing which holds much promise, but if basic security tenets are ignored in a rush to get to market advantage, well it doesn’t take a genius to predict how quickly that advantage will turn sour.

Hoffman says “Ajax applications run more code on the client than traditional web applications, this provides an attacker with all kinds of insight into how Ajax applications function, such as what web services it talks to, the function names and variable data types, as well as the control flow of Ajax applications and how data is stored.”

I’d be inclined to listen to the man.

12345
Not yet rated
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Trackback by Tara Barran - February 9, 2012 on 5:50 am

greenpeace indonesian forests…

[…]actually listen to real specialists other than people over compensated […]…

Trackback by ergulibol - May 18, 2012 on 9:36 pm

Awesome website…

[…]the time to read or visit the content or sites we have linked to below the[…]……

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

surveys theft Facebook School OS shopping xmas FBI Patents worker Pirate scan Parenting Browser Education Psychic Windows Europe Palm Pre Android Nexus staffing Government memory campaign man-in-the-middle VPN Mafia Internet gadgets Advertising Russia botnet iPod football Texting admin McKinnon nightmare IT printing scam Top 10 Mobile Phones Adobe help NBC Video outsourcing Beta YouTube christmas MSNBC Networks e-commerce hardware Game office mobile hacker money fraud disclosure Cisco Gadget social networking web Web Development Olympics Marketing science mail standards search Rant iPad world of warcraft web 2.0 CAPTCHA Addiction Apple acquisition Microchip broadband eBook Conference code Application ISP desktop Noro universe hacking Retail Business malware Intel Trojan Gateway storage tech Media stupidity information smartphone gaming Guardian Recall GMail snooping Amazon size survey transactional security SSL copyright sick Blog Space Kill Switch recession banking computers prison Military migration tax banks RATM betting statistics EU computer security report Research ASUS law Scotland BOFH Funny documentation Death iPhone 3G remote working Kaspersky Enterprise Developers encryption Mars Linux Sex Voice Obama news Lotus Paris Hilton fake virus home Big Brother adware e Eee PC Sony library stupid Steve Ballmer digitise poll scareware China spam Firefox RAM AMD email Psion Opinion Backlash virtualisation Browsers hubdub patch management Notebooks privacy support Internet Explorer Election MSN USA work Michael Jackson carbon copy virtual machine Twitter terrorism parental control global payment server Flash ISPA rootkits Madness ID Theft Harry Potter iPhone 3GS Kin IP ROFL Zango economics fun Windows 7 hypervisor Software Digital Footprint Music spending services App Store Performance computing Data Centre PS3 Meh compromise patent wifi productivity Battery Experiment credit card fraud IBM Children lawsuit Dell holidays Trousers Employment Rumour Licensing Ballmer Nintendo Army Programming Analysis dumb NASA Supercomputer Geeks ecommerce Health Bill Gates museum environment fool Palm cloud iPhone open source service The Federation Press Tesco Top 500 development Deal Digg linkedin data App Mobile Phone Netbook VeriSign Steve Jobs VM teleworking MessageLabs DNS MiniBook family technology worm innovation Blogging console BSI crime phishing politics hoax Review remote Spotify biometrics Microsoft data protection Texas Instruments network Google economy HPC Porn Finjan Windows Phone 7 Series avatar Kindle green Johnny Depp chips Yahoo exploit games Gartner graphics policy SMS students IDC Architecture HP Jesus Phone workplace second life Project millions Hack XP OCR virtual world Acer Jobs Silverlight Banned Google Earth credit crunch InfoSec meme Vista earth hour trust black hat Eee Study Energy Apps President management payments GSM books monetisation symantec debian archiving computing
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement