Content

Ajax: Open for risky business

Interactive web applications based on Ajax, the combination of Asynchronous JavaScript and XML programming languages, are easily exploitable, SPI Dynamics warned at a Black Hat presentation. The company said the rush to incorporate the functionality found in the so-called web 2.0 applications such as Google Maps offers the potential for financial disaster if Ajax-based applications are not architected properly.

Ajax uses Javascript to store variables on the client as part of its transactional code; in a buy-sell environment, for instance, Ajax stores pricing information on client rather than on the server, according to Bryan Sullivan, a senior research engineer at SPI Dynamics. In this architecture, a hacker could use a browser and a script debugger to change the pricing information within the browser, without the server-side code realizing it, he said.

The problem is "code on the client is out of [the developer's] control," he said. By being able to "view" the client-side code, a hacker could thus make changes to it. This would be particularly devastating in an e-commerce environment, he noted.

Sullivan's warning: "Don't put the secrets of your business in an Ajax/Javascript application."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds