Software developers using Asynchronous JavaScript and XML (AJAX) techniques to jazz up corporate Web sites are failing to pay attention to some very fundamental security issues, researchers warned at the Black Hat USA conference here Wednesday.
As a result, many companies that have rushed to AJAX-enable their sites may be dangerously vulnerable to a variety of Web-based threats they’re not even aware of. AJAx is an increasingly popular programming technique that allows Web designers to make their Web sites more responsive to user input compared with traditional pages. Google, Yahoo and many other sites have embraced AJAX, which enables new content to be added to a Web page in response to user input without needing the entire page to be reloaded.
AJAX allows the browser to fetch small amounts of data from the Web server from which the content is loaded, using JavaScript and XML technologies. The approach is considered more efficient than having an entire Web page reload every time content needs to be refreshed. But if care isn’t taken to control the manner in which the browser accesses the server data, all sorts of security issues can arise, said Billy Hoffman, lead research and development engineer at Web security vendor SPI Dynamics Inc. in Atlanta. Among the biggest of these threats, said Hoffman, is the opening that poorly coded AJAX sites can provide for malicious attackers to change the order in which a program executes functions. Poorly designed AJAX implementations often push program code that used to be stored and executed only on the server out to client browsers. This allows attackers to access the code and to manipulate the order in which a program’s functions are executed, Hoffman said.