Black Hat: Security researchers exercise AJAX attacks

According to Computerworld Singapore:

The presence of AJAX code in Web applications continues to grow at a rapid pace, but many of the programs built using the language remain extremely vulnerable to various forms of attack, according to researchers with applications testing specialists SPI Dynamics.

Presenting at the Black Hat 2007 security conference in Las Vegas, Billy Hoffman, lead researcher in SPI's Labs group, and Bryan Sullivan, one of the Atlanta-based company's senior research engineers, detailed a number of methods through which they said many common AJAX applications can be targeted by malicious hackers.

Hoffman, who presented on potential AJAX security concerns at last year's Black Hat show to illustrate some of the attack vectors that can be introduced via use of the language, said that this year's presentation was aimed at proving just how easy it is to manipulate live applications built with the development tools.

Identified as a so-called Web 2.0 programming language, which melds Asynchronous JavaScript and XML to boost the interactivity of Web sites, AJAX has become widely employed among many different types of sites -- including online applications made by major companies such as Google and Yahoo -- but many developers working with the language remain unaware of its security implications, the researchers said.

To illustrate just how AJAX applications can be victimized, the researchers built a fictional travel site called utilizing programming tips offered by popular developer resources, both Web sites and printed manuals, which they used to demonstrate their attacks to the Black Hat audience.

Following the advice offered by mainstream AJAX resources, the SPI experts maintain that the fictional site and its many functions, including its airline flight reservation and payment processing systems, could be compromised easily.

..........Respected security researcher Robert Hansen, better known by his screen name "RSnake," said that blaming AJAX for the issues doesn't make much sense, despite the viability of the attacks that the SPI experts demonstrated.

"There isn't any vulnerability in AJAX that's to blame. These are attacks that could be successfully carried out on almost any type of Web application," Hansen said. "AJAX has certainly had the effect of making it harder for testers to assess the security of applications, but AJAX doesn't really change anything in terms of the degree of vulnerability; it's just another avenue that's being made available to attackers."

See more at Computerworld Singapore

There are many reasons why AJAX can be vulnerable as mentioned in the article but does the benefit of a Asynchronous loading with more user friendly interfaces override the danger? Yes and No.

If your site is a web application that deals with money such as an auction site, shopping cart, payment gateway or similar business related sites then it's best to avoid AJAX web programming methods as hackers have more reasons to attack such sites.

The current batch of vulnerable web 2.0 sites are only attractive for hackers to collect user informations for spam and identity theft which is minor problems compared to direct loss of money from stolen credit card information. The tips to avoid hacking problems web 2.0 sites is not to put your real name (base on identity documents) in the profile page and use spam filters. Try to avoid using the same password on both social networking sites and banking related sites (including paypal).

Unfortunately Hackers are still widely available Internet world regardless they are Whitehat, Blackhat or the most destructive hackers glorified in the movie "The Hackers" and "Die Hard 4.0".

The Internet Businesses will always fail to understand why their internet portal does not bring in the money that it suppose to make with such a world wide population of users. The consumer confidence to part with sensitive credit card informations are usually shy away from purchasing anything online even with legitimate companies due to security vulnerabilities and fraud cases.

To bring back the consumer confidence is much harder then selling endowment insurance to a 12 year old to save money. It's once bitten twice shy, once the trust had been broken with one or two articles about real life internet fraud cases or view a popular websites been vandalized by hackers can shake the consumer confidence greatly.

Horror stories of huge amount of money being cheated by internet fraud are not uncommon...these news are generally great to warn unsuspecting new users to the world of Internet but are great rice bowl breakers for Internet Businesses.

It's about time to find out proper integration of web services and services in the real world...such as DHL Delivery tracking on their website does not interfere with the delivery schedule. The internet banking with the live password using the password generator key chain...which is great but I personally feel that credit cards should be the one that needs a ever changing password generator key chain then the savings account.

Any idea when the banks can think of that? Does it need a third party company to do it for them? I mean if some payment gateway can come up with this idea to solve the problem of hackers obtaining the passwords to their internet banking or credit card details...then online business will boom beyond recognition!

The retail shop next door or down the street might be online selling you a carton of coca cola cheaper as it's purchased online and requires no physical retail shops...other then a storages shed (can be in their residential home) and a delivery truck. A bowl of hot steaming noodles might just be purchase online and delivered to your door steps (cooked just before reaching your house in a van)...these can be visualized as the future of Internet businesses...only to be dreamed of.

Those who are earning some money online are those selling things not common in their own country or retail shops...hence purchasing from overseas via Internet. It's not as wide spread as buying something that common as daily essentials such as shampoo, facial wash, toothpaste and etc.

The reason are lacking of consumer confidence.