Lijit Search
 
I only post when I have something worthwhile to say, so it might be easiest to subscribe so that you automatically receive any new content.

Email RSS Twitter ESP

This is my personal blog and anything I write here in no way reflects the opinion of Cisco Systems, my employer. If it does, it is only by pure coincidence :) Nothing here constitutes investment advice either, so you can't sue me.

More about me here

View Jason Kolb's profile on LinkedIn

Popular Tags Recent Archives

    License

    • Creative Commons License

    Fun Stuff

    • The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions. NO MATERIAL HERE CONSTITUTES INVESTMENT ADVICE. The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are solely your responsibility.
    		  
    The Top 10 Reasons Web Desktops Are a Bad Idea Harvesting energy from human activity

    Web 2.0 and AJAX Security Vulnerabilities

    Ajaxian has a post about some sessions at the Black Hat USA 2006 conference.  I'm quite honestly surprised that this is just gaining some press now, I've figured it would happen sooner than it has (but that's typical for me :)  I posted on this a while back, and I haven't seen much improvement in this area since.

    There are so many ways to break an application it's not even funny.  I wouldn't consider a Web application secure unless it (and the company that provides it) have adequate answers to the type of security scrutiny that Sarbanes-Oxley typically requires.

    On top of that, however, AJAX programming techniques do a few other things that make it easy to break applications and/or intercept sensitive data:

    • LOTS of Web 2.0 applications use GET instead of POST to transmit data, and that means that any ID's or commands that are in the querystring are available in plaintext to anyone who wants them.  (POST's are vulnerable too, but not quite as easy to intercept).  If there's not a solid authentication mechanism underneath such as Digest authentication, man in the middle attacks become a piece of cake.  Somebody could easily sniff messages and pretend to be you.
    • XmlHttpRequest calls (at the core of most AJAX apps) can easily be interecepted unless they're encrypted with SSL, which almost none are.  That means that pretty much anything you input into a Web 2.0 app is fair game for somebody sniffing HTTP on the network.

    Part of the reason I've been so quiet on my blog lately is because I've been wrestling with this very problem.  I absolutely love everything AJAX has to offer, however sending naked data back and forth from the server is a pretty huge problem.  I also don't like the idea of securing the entire site with SSL as that's a huge burden on the server.  What I'm currently working on (as part of a much larger probject) is a comet implementation that streams messages over SSL in an unsecured page so that only messages going back and forth from the server are encrypted.  I believe it will work, but it requires a backend server to receive and queue messages which has to be built first (similar to cometd).  I'll post more about it when there's something to show.

    August 03, 2006 |

    The Top 10 Reasons Web Desktops Are a Bad Idea Harvesting energy from human activity

    TrackBack URL for this entry:
    http://www.typepad.com/services/trackback/6a00d834517df069e200d834da671269e2

    Trackbacks to Web 2.0 and AJAX Security Vulnerabilities:

    Comments