SigEx Telecom : Rush to Ajax makes for happy hackers by Delia Cruceru

Wednesday at the Black Hat USA conference in Las Vegas, security researchers warned software developers using Asynchronous Javascript and XML (Ajax) techniques that they might face security issues, sites enabled with Ajax being dangerously vulnerable to a variety of Web-based threats of which they're not even aware. Ajax techniques are very popular among web developers, it allows web sites to be more responsive to user input compared to traditional pages. Sites like Google, Yahoo and other popular sites are already using Ajax, considering it more efficient because they don't have to reload the Web page every time content needs to be refreshed. A site coded with Ajax may offer to hackers opportunities like: to tear the application to shreds, booking free flights, accessing coupon codes, hijacking the administration functions and stealing everyone's account information. All this by using flaws that popular AJAX resource ignore: Improper use of client-side XSLT; Use of overly- or underly-granular server-side APIs; and storing secrets (either data or functionality) in client-side code; exploiting Ajax race conditions, and Applying static analysis to deobfuscate client-side JavaScript. "Any secrets stored in JavaScript, whether secret data like discount codes or database connection strings, or secret functionality like backdoor administrative access, will be found and exploited," says Billy Hoffman, lead R&D engineer at Web security vendor SPI Dynamics in Atlanta.

related story: http://www.cbronline.com/article_news.asp?guid=269108A6-C941-42BA-90C5-217AAF282396

by Delia Cruceru for SigEx Telecom (http://sigex.com)

SigEx Telecom is quickly becoming the leading telebroadcasting communications provider allowing people to easily talk, view, upload and share video clips through free online TV broadcasting, free unlimited global calls, websites, blogs, video-mails and SMS. SigEx Telecom captures many add-on services for its clients generating royalties and fees in a broad spectrum of marketing services including public relations and promotions.