Gaps In Your Software Security

Web 2.0, AJAX create more places for attacks to gain entry

By SD Times News Team

February 1, 2007 —

They used to talk about buffer overflows, cross-site scripting errors and SQL injections. But today talk from application security tool makers is all about AJAX and Web 2.0.

If the shifting conversation is any indication, the old threats—essentially techniques hackers use to attack applications—are a thing of the past, replaced by new types of attacks, unique to AJAX (Asynchronous JavaScript and XML) and Web 2.0.

But nothing could be further from the truth, according to application security tool makers. The old threats are alive and well, and the newer technologies have not given rise to fundamentally new types of attacks. But three key factors are changing the application security landscape, steering the conversation in a new, bigger-picture direction.

First, like other tool makers, those that sell application security offerings are eager to reposition their tools around the current hot technologies, leading to “a lot of chatter around AJAX and Web 2.0,” said Ed Adams, president and CEO of software security consultancy Security Innovation. “They are the latest and greatest technologies.”

Second, the application security market, relatively unknown only a few years ago, is moving out of its earliest phase. And rather than focus on highly technical details pertaining to SQL injections and cross-site scripting errors, for example, tool makers are emphasizing the root cause of these flaws: the need to validate input to Web applications.

“We need to stop chasing the vulnerabilities one by one,” said Danny Allan, strategic research analyst for Watchfire, which sells application security tools, among other offerings.

Theresa Lanowitz, who heads research firm Voke, agreed. But she also pointed out that app security tool makers are emphasizing the big picture in order to better position their offerings to business decision makers. “The CIO does not want to [listen to you] talk about buffer overflows. If you do, he’ll send you to development.”

The third, and most important, reason the app security conversation is changing is that AJAX and Web 2.0 have in fact made Web applications more vulnerable, most of the tool makers agreed. By definition, both technologies are highly responsive to the user, and that has created a “bigger attack surface,” said Bryan Sullivan, a development manager for application security tool maker SPI Dynamics. In the past, when applications accepted input through a single form, “there was one door to secure. But with AJAX and Web 2.0, there are many, many more [entry points].” And each represents an opening a hacker could exploit, he said. “Think about a bank, versus a shopping mall. There’s one door for the bank, but hundreds of doors for the shopping mall. And they all have to be guarded.”

NEW, LESS SECURE LANDSCAPE
The emergence of more openings to exploit has indeed increased concern about Web application security, said Brian Chess, chief scientist and founder of Fortify Software, which sells application security tools. “But while the newer technologies change the security landscape, they don’t change any of the fundamentals of making applications more secure,” he said. “AJAX and Web 2.0 are simply magnifying the complexity of applications.”

With AJAX, there are just more aspects of a Web application that can be compromised, said Billy Hoffman, a lead researcher at SPI Dynamics, and co-author with Sullivan of “AJAX Security,” a book expected from Addison-Wesley this summer. “If you analyze only the server code, you have ignored half of the app,” he said. “You have to [test] the client, where JavaScript does the processing work, and you have to analyze how those two pieces interact.”

A key issue to take into account is how the app handles authentication, said Chris Wysopal, co-founder and CTO of Veracode, an application security startup expected to open its doors for business this month. “Applications are typically validated for input on the client side. If everything is OK, the input is sent to the server. But apps aren’t validated again on the server.”

That approach doesn’t make sense with AJAX. It could lead to an exploit where a hacker gets the client to make a call to the server that says, “Clone this Java object,” said Wysopal, offering an example. “All those Java objects could bring the server down.”

What complicates matters with AJAX is that so much is going on behind the scenes, making it easy to overlook potential openings.

“AJAX apps are devilishly difficult to QA,” said SPI Dynamics’ Hoffman, referring to the quality assurance testing process. “Say you have a map of the 50 states, where holding the mouse over each state lets you see data,” he said, offering an example. “If you look under the covers, you will see each state represents a request. You have to test every single one. If I send XX to California, will it break?” The possibilities for attack are infinite, he added.

The “under the covers” aspect of AJAX apps has led some to dispute the notion that AJAX apps have an inherently bigger attack surface. “Requests are happening, and you may not know it,” said Ryan Berg, chief scientist and co-founder of app security tool maker Ounce Labs. But that doesn’t mean AJAX apps have an inherently larger attack surface, he said. “We try to de-mystify AJAX, but it’s regular JavaScript.”

Jeremiah Grossman, CTO for WhiteHat Security, a Web application security services provider, agreed. “I don’t think AJAX changes the security landscape at all,” he said. “It’s a client-side set of technologies and a cool, new buzzword. It doesn’t change how vulnerable a Web site might be.”

THREATS BEYOND AJAX
In some respects, the security threats AJAX presents are similar to those around service-oriented architectures, noted Fortify’s Chess. “Both reflect the growing complexity of software we are working with. With SOA, instead of client and server talking to each other, you have Web services talking to each other. A SOA-based bank application might include, for example, one Web service for accessing a checking account, another for managing a credit card account and another for authorizing access to the application, he said. “With a traditional application, the sequence was a given [that] you had to log in and go through the authorization process before you could access your bank balance.” But with SOA, those events can occur out of sequence, and that brings with it new security concerns, he said.

Newer still are the security concerns ushered in by Web 2.0, a concept that views the World Wide Web as not just a collection of sites, but also as a platform with which users interact. “Users are contributing to the Web’s collective intelligence, and that creates a new attack vector,” said Mike Weider, founder and CTO of Watchfire. “How do I make sure [their contributions are] not malicious?” That is a new challenge: Web sites must test their own apps, and also make sure user contributions are secure, he said. “There aren’t any automated tools to do that. The company creating the Web site is left to filter the content.”

Another potential opening brought about by Web 2.0 is so-called mashups, Web applications that automatically combine content from more than one source, by making publicly available information about how to access them. “They offer a blueprint of how to interact with them,” said SPI Dynamics’ Sullivan. “But a hacker will say, ‘OK, this is the proper way to do things. I will do the opposite,’” he said. “When you tell people how to talk directly to your back-end systems, you are telling them how to attack you.”

A MORE SOPHISTICATED STORY
As developers, testers and application security tool makers work to plug holes opened by AJAX and other Web 2.0 technologies, one thing is clear: Tool makers aren’t likely to resort to talking about SQL injections and cross-site scripting errors.

It’s a good thing the conversation has moved away from individual attacks, said Fortify’s Chess. “More people are thinking about the fact that these attacks are not isolated [incidents]. And that leads people to plan—not just react,” he said. “We need to educate programmers, verify that mistakes were found, and think a little more holistically.”

Share this link: http://www.sdtimes.com/link/30090

Expert backs new security certification for coders Hord Tipton, former CIO of the U.S. Interior Department, is pushing (ISC)2's proposed security certification that creates an examination for coders. The goal is to create coders who are aware of what security parameters programs need.

Microsoft focuses on security development life cycle A change from the previous ways of handling application security, Microsoft is embracing the security development life cycle in its products and launching a series of programs to let customers take part in this new security method.

Major software makers fail security transparency test Only four of 23 software makers responded to SD Times' requests for insight into their security practices. Some analysts contend that revealing such practices to the press can be perceived as dangerous.

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST