AJAX:Dynamic Program Change=Security Gap

Infoworlds Martin Heller keeps harping on a JavaScript problem that is fundamental to the assessment of its security risks: Dynamic change in scripts of program code addresses that are publicly available and therefore subject to malevolent misdirection. The latest investigation by Martin into some details on Ruby on Rails implementation of CRUD is even more alarming than JavaScript prototype problem cited earlier. AJAX, Scripting, and Web 2.0 developers are going to have to come to terms with these potential security weaknesses. As before – these problems are not limited to AJAX but stretch to the broader JavaScript family of scripting languages (this includes to an extent Adobe Flash whose ActionScript is almost a direct super-set of JavaScript 2.0).

The problem occurs where script code is embedded on the client as pure text open to scanning (or even embedded in a Flash.SWF but still open to malicious scanning) and hacking attack. Flash might be able to protect itself with .swf checksum matching but the problem as Martin is so delicately trying to point out is “ugly”. One could easily see automated routines searching through downloaded web pages spotting dynamic code changes in JavaScript code and then targetting such systems. The fact that they are common CRUD apps makes the likeliehood that such vulnerabilities could be easily spotted and therefore made targets of exploitation even more readily.

Heller to AJAX/JavaScript community – 1)pull up heads; 2)shake off sand; and 3)feel the heat.

(c)JBSurveyer 2007
If you liked this, let others know: Slashdot Digg del.icio.us reddit newsvine Y! MyWeb