Static Web applications load a page into a user’s Web browser and then cut off connection with the Web server. If the user initiates an action that requires a refresh of the page display, the application must re-establish the Web server connection and refresh the entire page. Ajax includes a technique known as XML HTTP Request that allows data to be retrieved asynchronously in the background, eliminating the need to reload the page for every user interaction.
Ajax consists of these technologies:
- HTML, XHTML and CSS (Cascading Style Sheets) for web page presentation.
- XLM and XSLT enable interchange of data and play a role in data manipulation and display.
- Document Object Model (DOM) provides mechanisms for dynamic display of data and user access of web page content.
- XML HTTP Request enables asynchronous data retrieval.
The term “Ajax” was invented in 2005 by a Web user experience designer named Jesse James Garrett. Since then, Ajax technologies have come to be associated with increased levels of usability, performance and interaction in Web applications. The user experience has become richer as Web applications and traditional PC and Mac-based applications have become more similar. Web applications such as Google Docs and Yahoo Mail now resemble desktop spreadsheets, word processors and email applications.
Web applications that utilized Ajax also benefit in these areas: Web form submission, search query fetches, category tree edits, record inserts and deletes. Each of these operations can be performed asynchronously and independently.
Ajax application attack vulnerabilities
When developers tap into the power of Ajax for Web applications, they need to be aware of potential security breaches that will leave their applications vulnerable to attack. As more businesses and organizations use Ajax-based Web applications to establish an Internet presence, hackers are becoming cleverer about compromising the security of these applications. The importance of securing Ajax implementations has never been greater.
Analyst Pete Lindstrom, Director of Security Strategies with the Hurwitz Group, summarizes the current situation. “Companies have done a pretty good job installing firewalls and protecting networks. The area with the greatest vulnerability now is in the applications themselves. It’s proving to be an easier target.”
As Web applications become more interactive, network traffic increases. This traffic may consist of XML, text or dynamic HTML that has been generated by applications. Back-end applications may be exposed to more types of input and more risk from a lack of Web server protection. There is a real risk of insufficient server authentication that can allow malicious users to access and change their privilege levels.
False Sense of Security
Many website owners harbor a misconception about the security of Ajax-based Web applications, thinking that hackers cannot access Web server scripts unless they go through a Web application web page. When Web applications user XML HTTP Requests, server scripts are hidden, increasing the false sense of security for website owners and developers. However, XML HTTP Requests are based on HTTP protocol, like all Web pages, and are therefore vulnerable to the same hacker threats as any other website.
If a hacker is able to intercept application function calls, they can be use to formulate new HTTP requests that are sent directly to the Web server. Cross-site Scripting (XSS) can be used to inject malicious scripts that include Ajax function calls. An application user may become the victim of browser redirection (or phishing) or have his Internet traffic monitored.
The increased use of scripts that is a key component of Ajax applications creates increased opportunity for hackers to access secure data. Besides a loss of revenue, loss of secure data can result in a loss of customer trust. Organizations that hope to benefit from Ajax technology must ensure that vulnerabilities will be removed and breaches avoided.
Securing AJAX web applications
Get the latest content on web security
in your inbox each week.