Rush to adopt Ajax leaves many sites vulnerable, experts say
Black Hat presenters build an Ajax-enabled Web site by the book only to tear it apart before a live audience.
LAS VEGAS--Want to build a Web site with all the latest Ajax technology? Or how about "Ajaxifying" an existing application? Bryan Sullivan, Senior Research Engineer for SPI Labs, and Billy Hoffman, SPI Labs' team leader, did just that during their talk "Premature Ajax-ulation" Wednesday afternoon at Black Hat. The two said that often developers see only the code that works, and not how someone else may come along and exploit it.
To demonstrate, Sullivan and Hoffman built a mock travel Web site, Hacker Travel.com.
"We're actually using examples that we find from popular Ajax books, from popular Ajax Web sites," said Hoffman. "We're going to say, 'Look, we built this the way you were supposed to build it, the way so-called authoritative sources told you to.' Now here's what we need to be thinking about while you are developing these apps. And we're going to poke holes at it and show how to basically develop these things securely from the start."
Hoffman said companies traditionally hire third parties to come in and audit their site or perform a penetration test, then dump a thick PDF report on the developers' desks and say "here, fix it." What do the developers do? "They go and they type 'SQL injection' into Google and they find the first page and say 'Oh, here's how I fix it.'" That simply doesn't work, says Hoffman.