Ajax: Open for risky business | SC Media

Ajax: Open for risky business

August 7, 2007
Interactive web applications based on Ajax, the combination of Asynchronous JavaScript and XML programming languages, are easily exploitable, SPI Dynamics warned at a Black Hat presentation. The company said the rush to incorporate the functionality found in the so-called web 2.0 applications such as Google Maps offers the potential for financial disaster if Ajax-based applications are not architected properly.

Ajax uses Javascript to store variables on the client as part of its transactional code; in a buy-sell environment, for instance, Ajax stores pricing information on client rather than on the server, according to Bryan Sullivan, a senior research engineer at SPI Dynamics. In this architecture, a hacker could use a browser and a script debugger to change the pricing information within the browser, without the server-side code realizing it, he said.

The problem is "code on the client is out of [the developer's] control," he said. By being able to "view" the client-side code, a hacker could thus make changes to it. This would be particularly devastating in an e-commerce environment, he noted.

Sullivan's warning: "Don't put the secrets of your business in an Ajax/Javascript application."
prestitial ad