AJAX Security

From Computing and Software Wiki

Revision as of 23:53, 11 April 2009 by Leungg2 (Talk)

(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)

AJAX stands for Asynchronous JavaScript And XML.AJAX is a type of programming, it is not a new type of technology, but instead, a combination of existing technologies used for a robust foundation for web application. These technologies include:^[4]

HTML and Cascading Style Sheets (CSS)
Document Object Model (DOM)
XML
XML HTTP Request
JavaScript (JS)

The use of AJAX provides faster and more user friendly web applications than traditional web sites.

Advantages of AJAX

AJAX is used for being able to provide users with a greater web browsing experience due to faster and more interactivity compared to traditional web technologies.

Its main advantage is the use of the XML HTTP Request which allows a web page to refresh a small portion of its data from a web server(asynchronously), rather than being forced to reload and redraw the entire page as in traditional web programming. ^[5]

Current website using AJAX include Google Calender, GMail, Yahoo!, NetVibes.^[6]

How it is implemented

Security Vulnerabilities

Due to the increase popularity of AJAX and companies reliance of internet technology, web based applications have become more prone to attacks. Organizations must be prepared and secure themselves from the security risks.

By its nature, AJAX increases interactivity, it also allows for more network traffic which consequently increases the chance of attack that may not have been accessible with traditional technology.

AJAX technology is more of a white box application.The Ajax engine uses Javascript to capture the user commands and to transform them into function calls. Such function calls are not encrypted and sent in plain visible text to the server and may easily reveal important and private data which may be manipulated by a hacker.[4]

Although it is possible to obfuscate JavaScript, it only makes the code more difficult but not impossible for hackers to read.[3] With this information, a hacker can easily use AJAX functions without the intended interface by crafting specific HTTP requests directly to the server.[4]

Types of Attacks on AJAX

Cross Site Scripting

One of the major concerns of attack that exploits AJAX through Cross Site Scripting. In case of cross-site scripting, maliciously injected scripts can actually leverage the AJAX provided functionalities to act on behalf of the user thereby tricking the user with the ultimate aim of redirecting his browsing session (e.g., phishing).

Example

HTML Code

AJAX Code

The effect of MyLocalWeatherForecast.com’s shift to Ajax is that the client-side portion of the application (and by extension, the user) has more visibility into the server-side components.