With Ajax-style applications on the rise, organizations need to consider potential security vulnerabilities and performance issues, according to XML security vendor Forum Systems Inc., which today issued an alert today on this topic.
"We're not out to create alarm," said Walid Negm, vice president of marketing for Salt Lake City-based Forum Systems. "We just feel the need to get people thinking about security and scalability requirements. We keep our eye out for any technology using XML. It's part of our job."
Forum's attempt at a remedy is to implement XML content filtering, Web services security and XML acceleration capabilities.
Negm outlined some potential issues. One, he said, is the opportunity for a malicious client to send corrupted data, essentially creating an attack client. Another risk, he said, is unauthenticated user access. With Ajax applications, he said, an unauthenticated user can quickly elevate his or her privileges if there is no server-side protection.
Malformed data is the biggest risk, he said. "A denial of service can be done quite easily because you're using asynchronous code. There is the potential result of resource exhaustion on the server side or of a denial of service making a server crash."
While Ajax has some Web application security risk, "you are protected [from most] if you have an application firewall on the server side," Negm said.
Performance, though, is potentially a bigger issue, he said. "You need to consider how data validation will impact performance. Ajax allows you do to data validation better, but you have to deal with additional validation requirements, which is an additional headache for the server."
Asked if issuing an alert that plays into Forum's technology offerings isn't a bit self-serving, Negm responded that "there is always a risk of that [appearance], but the risk of not issuing one is even greater. We're comfortable with our track record with security. The details behind the alert make sense and are worth discussing. They're not high urgency, but we're asking developers to take a look at this."
"It's definitely important to make people aware of the fact Ajax presents additional security issues that a simple Web page might not face," said Jason Bloomberg, senior analyst at ZapThink LLC in Waltham, Mass. "Forum has been focusing on threat prevention," he said, so the alert is a natural fit.
Adaptive Path LLC, a user experience consulting company in San Francisco, is hearing from clients that data security and exposed business logic are the major concerns, said Jesse James Garrett, director of user experience strategy. "To some extent, when you're doing Ajax applications you end up moving business logic from the server to the client," he said. "By moving that logic to the client you expose it to the world. That presents some potential security risks, depending on the application."
Less of a concern is data security, he said. "Ajax applications can rely on the underlying encryption layer of the Web to encrypt that XML for that data communication," Garrett said.
Also, there is a potential for Ajax malware, Garrett said. "What we've done is decouple the user interaction from the server communication. Now the server communication is completely invisible to the user, so you can have data being transmitted without the user's knowledge. That opens up some significant risk."
Dion Almaer, co-founder of Ajaxian.com, an Ajax community, said there is nothing in Ajax that is unsecure, but there are some issues.
He said developers have to think about what they are doing. "You can develop an Ajax application that is very rich and you need to pass data from the browser to the client. You need to make sure that you secure the access to the server, just like you would if you wrote with any desktop technology." For example, "you don't want your Ajax application to be able to send arbitrary SQL to the back-end server and have it run it. A hacker could work that out and manually send bad requests." Also, he wrote, "don't just eval() anything and be wary of XSS exploits."
The bottom line, Almaer said: "Secure your server side just like you would anyway and then you are fine."
Garrett echoes that sentiment. "There is no substitute for smart planning in the development and deployment of any application. There are certain complexities of Ajax development that places even more of a burden on development teams to make smart choices."