AJAX/JavaScript Security

Reading in the AJAX blogs, one of the topics that has become tiresome to pro-AJAXians is the need to defend AJAX and JavaScript against security threats. Their essential arguments are a)to date, very few attacks have used JavaScript as vector; b)JavaScript when coded properly is secure(though they concede it is possible for novices to improperly code in JavaScript) and c)all of the modes of attack like dynamic re-assigment, cross-site scripting, XML or SQL injection, and various other modes are well known and can be prevented.

I am not so sanguine.

And neither are the following:

Jermiah Grossman CTO of White hat Security interviewed in the February 27th issue of Information Week has predicted that IT departments are 9 months away from attacks which would infect users Web browsers with JavaScript malaware embedded in the Web sites they visit. And not just the individual but broader corporate networks are the targets of these malicious JavaScript carrying agents.

Fortify software has described in Computerworld that ” a pervasive and critical vulnerability is present in 11 of the 12 most popular AJAX frameworks, and therefore in many Web 2.0 applications. It allows an attacker to pose as the applications user and intercept data sent via JavaScript commands, by using the script tag to circumvent the same origin policy imposed by Web browsers….but fixes are available or feasible for other AJAX frameworks. However …. even applications that dont use any of the vulnerable AJAX frameworks directly could be at risk if they contain AJAX components that use JavaScript as a data transfer method. ”

Now I and many of these observers can hardly be called Agents of Doom or Redmond Web Saboteurs. Rather, we just dont want to repeat the ActiveX/Web debacle where Microsoft and users of its IE and other Web software were explicitly warned of the dangers/risks that ActiveX and lax Web security settings exposed users to … and then barely a year later became victims along with everybody else of the deluge of Microsoft-caused breaches where worms, viruses and other hack attacks based on these very same vulnerabilities crippled systems worldwide.

So before you embark on SaaS, AJAX, or Web/Enterprise 2.0 projects make sure you come up to speed on the programming models being proposed(most use AJAX in some form or another) and explicitly understand what their security provisions are. Some vendors concede some JavaScript risks but rely on being within the corporate firewall. Others have specific hooks to provide a security guarantee(for example, Adobe is saying that its Flash, PDF and new Apollo containers will provide secure “sandlots” for their ActionScript/JavaScript to play in – much like Java). Others have base level security provisions for their AJAX/JavaScript but then rely on your coders not to expose the systems. And so forth – know what security model your Web 2.0 apps will be using and assess how well it fits your immediate needs. But also be cognizant of future competitive forces that are likely to be more externally oriented and cross organizational in their collaborative directions – and there increasing the vulnerability exposure of your apps.

In sum, on this vital issue be a Dumb Boy Scout – Be Prepared. Remember the opposition is no longer punk hackers seeking coding glory; but rather organized crime out to steal your assets.


(c)JBSurveyer 2007 If you liked this, let others know:
Slashdot Digg del.icio.us reddit newsvine Y! MyWeb