Rush to adopt Ajax leaves many sites vulnerable, experts say

LAS VEGAS--Want to build a Web site with all the latest Ajax technology? Or how about "Ajaxifying" an existing application? Bryan Sullivan, Senior Research Engineer for SPI Labs, and Billy Hoffman, SPI Labs' team leader, did just that during their talk "Premature Ajax-ulation" Wednesday afternoon at Black Hat. The two said that often developers see only the code that works, and not how someone else may come along and exploit it.

To demonstrate, Sullivan and Hoffman built a mock travel Web site, Hacker Travel.com.

"We're actually using examples that we find from popular Ajax books, from popular Ajax Web sites," said Hoffman. "We're going to say, 'Look, we built this the way you were supposed to build it, the way so-called authoritative sources told you to.' Now here's what we need to be thinking about while you are developing these apps. And we're going to poke holes at it and show how to basically develop these things securely from the start."

Hoffman said companies traditionally hire third parties to come in and audit their site or perform a penetration test, then dump a thick PDF report on the developers' desks and say "here, fix it." What do the developers do? "They go and they type 'SQL injection' into Google and they find the first page and say 'Oh, here's how I fix it.'" That simply doesn't work, says Hoffman.

During the talk Hoffman showed how perfectly functional Ajax code could easily be manipulated by examining the Javascipt in the browser. Ajax by design pushes some of the sensitive decisions out from the server onto the client. That may speed the process for the end user, but it also exposes the process to attack. In one example Hoffman lowered the price of an airline ticket down to one dollar by manipulating the javascript. He also created a denial-of-service attack by holding all the available seats on a flight by turning off the hold release function.

The problems, said Sullivan and Hoffman, lie in the best practices often printed about Ajax. They said never put business logic on the client side, never use single Javascript to handle all the function calls, and don't use DataSet objects. When all the secrets are stored on the server side as opposed to the client side, the site is better protected against attack.