At the show, Billy Hoffman, lead engineer at Web security specialist SPI Dynamics, showed how AJAX attacks could be designed to break into and manipulate online stock trading accounts. (Read more on this attack.)And Jeremiah Grossman, CTO of WhiteHat Security, showed how an AJAX attack could be spread using MySpace as a means of sending an invasive program deep into an enterprise’s internal network.
"We need to stop teaching people to make use of these new Web technologies while pretending that there are no security considerations. This is an old problem; people are saying, ‘This is a new technology and we've learned from all of those security mistakes of the past. Now we just don't need to think about it.’ But that's crazy. With new technologies come a new set of threats."
Dr. David Wagner, professor of computer science at UC Berkeley doesn't see the demoed attacks as especially alarming. "It looks like the impact is just that hackers can perform reconnaissance and reconnoitering against your intranet," he says, "but this doesn't provide any new way to actually attack internal hosts (except possibly in some special cases). If that is correct, then this vulnerability isn't really all that big a deal."
What should AJAX developers do?
"As a Web 2.0 programmer—an AJAX programmer—you need to both protect the user and not trust the user," says Chess. "I know that's counterintuitive, but think about it; the user can be both an attacker and a victim. Doing both of those things at once is a bit of a juggling act, but necessary from a security standpoint."
"Developers need to be aware of security and take responsibility for their applications," Wagner advises. "One of the benefits of new Web technologies has been to make Web programming accessible to a much broader interface—but that is a double-edged sword, because many of these new Web developers aren't necessarily trained in or fully aware of security issues. As software developers, it behooves us to think proactively about how our code might be misused."