AJAX and Security, Revisited

In the last two days I’ve started to notice a number of articles detailing security in an AJAX application. Apparently there are a lot of people out there touting AJAX as this super-secure way of serving content on the web. And then there are those that are touting it as less secure than traditional DHTML sites. Mike Kemp of Heise Security warns that AJAX can open you up to attack while Jeremiah Grossman of Whitehat Security explains that AJAX is no less secure than traditional DHTML.

But let’s look at the reality of the situation. Regardless of the language and methodology used, security still breaks down into some fairly straightforward concepts :

    1. Never trust the client
      • In simple terms, consider the user of the application to be the enemy. Double check everything the user sends you and make sure that what they send is acceptable. Be as restrictive as possible because even the simplest mistake can be costly.
    2. Design using the Defense In Depth approach
      • Defense in depth is a security strategy in which you use multiple layers of defense to prevent attacks. This type of strategy goes beyond the web page you are trying to serve and encompasses the network as well. Simply put, you design your security to run at each layer. What this means is that instead of just checking input at the server level you instead check it at every layer the data interacts with. While this means more code, it can also mean more security. If someone was able to get through one layer, it doesn’t mean they’ll get through the next.
    3. Test Test Test
      • Before you release your application, you test it. Add security penetration testing to your test suite. Attack the application from every angle you can think of and, if possible, have others attack it as well. It’s very hard for a programmer to check his own work for security flaws because he knows what the program is designed to do and what security code has been put in place. Having someone else test your application can reveal security and application bugs that you as a developer would never find.
    4. Keep up with current technology
      • Keeping up with technology is one of the best ways to learn how to secure your applications. I highly recommend reading security related programming books, blogs, and news to find out about new techniques, reinforce old techniques, and, most importantly, to keep security at the forefront of your mind. If you’re not thinking security, then you’re likely to make simple mistakes that can cost a lot in the long run.
    5. Make sure your tools are up to date
      1. The tools you use can be the source of security bugs if you don’t keep them up to date. A great example of this are the APIs you use within your programs. If you link to old versions of the APIs then you may be susceptible to security and application bugs that were fixed in later releases. APIs are usually a black box item, so make sure you check into the API before deciding upon it’s use.

These are just a few ways to make sure you’re maximizing security in your code. There are many other lists out there, but you’ll find that they all come down to the same few basic principles. Never think that your program is 100% secure, there’s always a way to attack it. You just need to be more diligent than the attackers.

AJAX Security

I read an interesting article today over at Darknet. It brings to light some of the “new” techniques that can be used to exploit newer Web 2.0 applications.

 

The article was an interesting read and got me thinking about application security again. I find myself spending more and more time on security in an application, and less time on features and actual logic. Generally I’m splitting coding time between idiot proofing the application so the end user is forced to put in the right data, and hack proofing the code against would-be hackers. Even with custom frameworks to handle the boring bits, it still takes a lot of time and effort to make sure you’ve covered your bases. Oh well, such is the world we live in nowadays.

The new ways to exploit applications are interesting as well. Actually, most of them aren’t new, but rather the same old hacks used to exploit the new way of doing things. For instance, in an AJAX application you pass information between the browser and the server, behind the scenes. Ok, all well and good, but how do you make sure you’re still talking to the original browser that opened the request? You could use a cookie, or perhaps some sort of a session ID. Maybe a combination of the two. And on top of it, you might check the User Agent string and the referrer URL. Mind you, this can all be spoofed. In fact, spoofing the UA and referrer is extremely easy and can be done with tools like curl and wget. So what is the best way to secure these apps?

I haven’t really started working with AJAX very seriously, so I haven’t done much research into the matter. But, thinking about it, maybe there is a way to secure things a little better? Perhaps a variable in the browsers memory rather than a cookie? Combined with a session ID? Right now I like to secure my apps by using a combination of a session ID, the IP address of the user, and a cookie with seemingly random data in it. This has worked pretty well thus far, but I’m not sure how hard anyone has tried to hack it. I’m definitely interested in more security, though, provided it doesn’t slow things to a grinding halt.

Of course, there’s always the one true way for security. Unplug it. Turn it off. If it’s not running, it can’t be broken into.. Well, not yet anyways.. There’s always the quantum level.

AJAX : It’s not just for cleaning anymore…

There’s a new or, rather, old programming language.. wait.. language? Hrm.. mixture of concepts is more like it. Anyways, there’s this new way of doing things on the web. It’s called AJAX which is an acronym for Asynchronous Javascript and XML. Based on the XMLHttpRequest object, it allows a web programmer to transfer information between the server and the web browser without requiring a complete reload of the web page. Pretty nifty stuff.

 

Dubbed Web 2.0, this “new” technology is revolutionizing the way users interact with the web. More than a mere buzzword, AJAX is sweeping the web and offering up some very powerful web applications. Gmail has been using AJAX for a while now. AJAX, combined with DHTML, allows you to “build” your Google homepage, and allows that same page to be updated on the fly without reloading the entire page. More recently, sites such as Netvibes, Pageflakes, and Eskobo offer “Web Desktops”. Other sites such as Yahoo Maps and Google Local offer web based mapping software without the arrow clicking and page reloading.

I’ve purchased a book on AJAX to enhance my own knowledge of this powerful web development tool. It’s definitely an intruiging concept and it seems simple enough up front, but extremely powerful when you get deep into it. Stay tuned for more!!!