A security vulnerability in AJAX-based applications will challenge development teams but is unlikely to slow AJAX’s rapid growth.
by Jeffrey Schwartz
A newly announced security vulnerability in AJAX-based applications will place added onus on development teams to avoid such threats, but observers say the finding is unlikely to slow AJAX’s rapid growth.
An attacker can pose as a victim by communicating with a Web site that may have confidential customer or employee data, Chess says. "This problem appears to be ubiquitous," he asserts.
Forrester Research analyst Jeffrey Hammond said it is possible a large number of AJAX applications are vulnerable to this threat, but it can be easily remediated by not letting private information be transmitted from a server without appropriate authentication.
"If you have an active framework with a lot of developers involved in it, it should be relatively easy to fix this loophole," Hammond said. "But if the framework is not very active and not being updated rapidly, you may have to implement a workaround and kind of do it on your own."
Chess said the workaround is fairly straightforward and that in many cases, toolkit providers will only have to revise a few lines of code. Fortify has already alerted the toolkit and framework vendors affected and many have said fixes are coming within weeks.
One that did not commit is Microsoft, Chess says. "Microsoft moves at Microsoft speed. They’ve registered this in their security system and they will patch it when they patch it," he said.
Microsoft declined to discuss the issue but issued a statement saying its Security Response Center is investigating. "Upon completion of this investigation, Microsoft will take the appropriate action," the statement reads.
Jon Ferraiolo, a Web architect in IBM’s emerging technologies group and chairman of The OpenAjax Alliance, says security is among the 70-plus company member group’s key objectives. Among the key issues the alliance will take up is education about best practices.
Developers should avoid obvious pitfalls, such as putting third party content into an application without verifying the provider of that content. "You have to be careful with the way your server side is set up if you want to have a secure, browser-based deployment, AJAX or otherwise," Ferraiolo says.
Like others, he says Fortify’s finding won’t have a chilling affect on AJAX development. "There’s all this AJAX going on right now," Ferraiolo said. "This is not a showstopper."
- - -
Jeffrey Schwartz is executive editor, features for our sister publication, Redmond Developer News.