As many of my blog readers know AJAX is a very popular web development technology right now. AJAX offers web developers the ability to provide desktop application like functionality in web applications. Without AJAX many of the tools I use every day such as GMail, Google Reader, and Google Maps just wouldn’t be near as fun or easy to use. Don’t worry, I do occasionally use non-Google sites that make heavy use of AJAX, I just can’t think of them right now.
However, as recently reported by security researches from SPI Dynamics at the Blackhat USA 2007 security conference, the benefits of AJAX don’t come without significant security risks.
One of the main problems with AJAX is that a lot of traditional server side code is now executed on the client side. This provides would be hackers with a ton of insight on how your application functions. Once equipped with these details it is much easier for hackers to trick web applications into doing things they’re not designed to do.
The presenters at Blackhat showed the audience how a mock AJAX travel site could be tricked into selling tickets cheaper and also tricked into blocking ticket sales for the same airplane. I think these two examples show exactly how important it is for web developers to secure AJAX.
My recommendation on this subject is to not stop developing with AJAX but to take the time and effort to learn about the security problems associated with this web development technique and the ways to avoid the common pitfalls–doing so will make the web a safer place for each of us.
Just so you know where to start more about AJAX security, Darknet offers some good insight on securing AJAX by explaining some of the common ways to attack AJAX applications.
[via Ars Technica]
