How Secure Is AJAX?

In this age of malware and constant attacks on our computer systems, we have to evaluate every new technology for security and the potential new vulnerabilities each introduces. No matter how cool it is, any technology that doesn t meet strict security requirements is best left to keynote demonstrations.

AJAX is certainly one of the cooler technologies propagating throughout the Web today. Unlike other new technologies, it really isn t new. After all, we ve been using JavaScript and XML for years on the Web, even asynchronously. But how does AJAX measure up for security? Is it something that you should consider putting on a Web site, or is it best left to sites where security isn t a concern (if there are any such Web sites)?

I recently got a copy of Secure ASP.NET AJAX Development, an e-book by Jason Schmitt. I love books like this: it s short (92 pages, including front and back material) and to the point, focused on a single topic. I ll happily pay the $9.99 cost for books like this, even though it s likely to be more money per page than a typical 1,200-page tome that claims to cover everything I ll ever need to know about some subject.

On the surface, it is reasonable to assume that ASP.NET AJAX is reasonably secure because of its close integration with ASP.NET and IIS on the server and JavaScript on the client. If, of course, ASP.NET, IIS, and JavaScript are in fact secure. A discussion to reach that conclusion is outside the scope of both the book and this article, so for our purposes here we will assume they are indeed secure and are not the source of AJAX vulnerabilities.

What new vulnerabilities, then, does AJAX present? I love this quote from the book at the start of section 2, AJAX Security Pitfalls: The security of AJAX applications is a similar reversal of fortunes in that many developers will introduce old, familiar security vulnerabilities into their applications with new, unfamiliar development approaches. That summarizes quite well the potential problem with using AJAX. Although the book is nominally about ASP.NET AJAX, section 2 covers vulnerabilities in just about any flavor of AJAX.

The author begins this section by making the point that there is nothing inherently insecure about AJAX. Instead, the vulnerabilities arise from how developers implement the technology, and there are plenty of ways to introduce vulnerabilities to a Web site. Then he goes on to talk about the increased attack surface, primarily through greatly increased interactions between browser and server; increasingly complex client-side code and the ability of an attacker accessing and modifying that code; attacking through bypassing client validation; and several other things.

There isn t much depth to the technical discussion of AJAX security vulnerabilities. There doesn t really need to be, since none of the vulnerabilities are new or completely unique to AJAX. But there is plenty enough depth to both make you aware of the risks and to get you thinking about the implications of using AJAX.

Section 3, Securing ASP.NET AJAX, provides the cure to the pain introduced in section 2. Once again, there is nothing radically new here, with sections about general ASP.NET AJAX security principles, including validating user input, protecting client resources, authenticating requests, protecting Web services, and securing data access. Those principles apply to all Web security development, but the author presents them in the context of AJAX, once again providing fodder for thought about securing AJAX applications. The book concludes with a section about testing AJAX security and a security checklist.

It is too early in the lifecycle of AJAX to tell whether the book identifies all the security vulnerabilities presented by AJAX. It s almost certain that it doesn t, not because of a flaw in the book but because of the energy and creativity that some people spend attempting to discover the security flaws in any technology.

One warning: the book makes heavy use of DRM, digital rights management, to protect against copying. I didn t have any problem accessing the content, and it allows accessing the book on at least one other computer. It seems to phone home to validate access to the file, but at least I didn t have to install anything that required administrative rights on my local machine.

You can never be too secure, but it is all too easy to be insecure with the application complexity introduced with AJAX. But by understanding the risks, you can make intelligent decisions about how to use AJAX securely.

Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:donkiely@computer.org and read his blog at http://www.sqljunkies.com/weblog/donkiely/.