Ajax alert raises security, scalability issues

By Colleen Frye, News Writer 30 Jan 2006 | SearchWebServices.com

News on SOA, EAI, Web services Digg This!     StumbleUpon     Del.icio.us

With Ajax-style applications on the rise, organizations need to consider potential security vulnerabilities and performance issues, according to XML security vendor Forum Systems Inc., which today issued an alert today on this topic.

There are certain complexities of Ajax development that places even more of a burden on development teams to make smart choices. Jesse James Garrett Director of User Experience Strategy, Adaptive Path LLC

"We're not out to create alarm," said Walid Negm, vice president of marketing for Salt Lake City-based Forum Systems. "We just feel the need to get people thinking about security and scalability requirements. We keep our eye out for any technology using XML. It's part of our job."

Ajax, short for Asynchronous JavaScript and XML, has gained traction as a way to enhance the user experience by creating rich Internet applications. According to Forum, by enabling more interactive Web pages that are interoperable with Web services, Ajax increases the amount of XML, text or HTML network traffic. Relying on XML as the content type for request/response payloads exposes applications to Web services vulnerabilities, according to the company. The company also points out that by transforming a user's Web browser into a Web services portal, the Ajax communication model increases the browser's processing responsibility.

Forum's attempt at a remedy is to implement XML content filtering, Web services security and XML acceleration capabilities.

Negm outlined some potential issues. One, he said, is the opportunity for a malicious client to send corrupted data, essentially creating an attack client. Another risk, he said, is unauthenticated user access. With Ajax applications, he said, an unauthenticated user can quickly elevate his or her privileges if there is no server-side protection.

Malformed data is the biggest risk, he said. "A denial of service can be done quite easily because you're using asynchronous code. There is the potential result of resource exhaustion on the server side or of a denial of service making a server crash."

While Ajax has some Web application security risk, "you are protected [from most] if you have an application firewall on the server side," Negm said.

Performance, though, is potentially a bigger issue, he said. "You need to consider how data validation will impact performance. Ajax allows you do to data validation better, but you have to deal with additional validation requirements, which is an additional headache for the server."

Asked if issuing an alert that plays into Forum's technology offerings isn't a bit self-serving, Negm responded that "there is always a risk of that [appearance], but the risk of not issuing one is even greater. We're comfortable with our track record with security. The details behind the alert make sense and are worth discussing. They're not high urgency, but we're asking developers to take a look at this."

"It's definitely important to make people aware of the fact Ajax presents additional security issues that a simple Web page might not face," said Jason Bloomberg, senior analyst at ZapThink LLC in Waltham, Mass. "Forum has been focusing on threat prevention," he said, so the alert is a natural fit.

Adaptive Path LLC, a user experience consulting company in San Francisco, is hearing from clients that data security and exposed business logic are the major concerns, said Jesse James Garrett, director of user experience strategy. "To some extent, when you're doing Ajax applications you end up moving business logic from the server to the client," he said. "By moving that logic to the client you expose it to the world. That presents some potential security risks, depending on the application."

Less of a concern is data security, he said. "Ajax applications can rely on the underlying encryption layer of the Web to encrypt that XML for that data communication," Garrett said.

Also, there is a potential for Ajax malware, Garrett said. "What we've done is decouple the user interaction from the server communication. Now the server communication is completely invisible to the user, so you can have data being transmitted without the user's knowledge. That opens up some significant risk."

Dion Almaer, co-founder of Ajaxian.com, an Ajax community, said there is nothing in Ajax that is unsecure, but there are some issues.

For more information Read more about Ajax hype vs. reality Check out how vendors are looking to Ajax to make SOA shine

He said developers have to think about what they are doing. "You can develop an Ajax application that is very rich and you need to pass data from the browser to the client. You need to make sure that you secure the access to the server, just like you would if you wrote with any desktop technology." For example, "you don't want your Ajax application to be able to send arbitrary SQL to the back-end server and have it run it. A hacker could work that out and manually send bad requests." Also, he wrote, "don't just eval() anything and be wary of XSS exploits."

The bottom line, Almaer said: "Secure your server side just like you would anyway and then you are fine."

Garrett echoes that sentiment. "There is no substitute for smart planning in the development and deployment of any application. There are certain complexities of Ajax development that places even more of a burden on development teams to make smart choices."

Tags: Ajax and RIA (Rich Internet Applications),  Service-oriented architecture (SOA) education,  SOA implementations,  XML and XML schema,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Ajax and RIA (Rich Internet Applications) Ajax and RIA trends Ajax tools and products Ajax Tutorial News and insight from The Ajax Experience 2009 Doloto tool said to speed large-scale Ajax applications ECMAScript 5 takes JavaScript to a new level Google Chrome Web browser: Is it an OS in waiting? Kapow bows data-driven server for the enterprise Enterprise mashup patterns act as API enablers JViews enhances Eclipse RIA support Ajax and RIA (Rich Internet Applications) Research Service-oriented architecture (SOA) education SOA Manifesto urges both agility and business focus SOA skills, slings and arrows Playbook for the SOA Red Zone Win SOA Design Patterns book Take part in SearchSOA.com survey. Help define the state of SOA. New year – same old SOA tempests? The annals of SOA Talk Software architects navigate transitions Ten ways to identify services Analysts, users find roadblocks along the SOA highway Service-oriented architecture (SOA) education Research SOA implementations SOA implementation evolves from open source to Oracle SOA suite U.S. Coast Guard adopts SOA and ESB to better track ships at sea SOA Implementation: Should top down meet bottom up? ESB watered down by EAI, but distinction remains On the road to SOA – Part 1, Boubez on early insights On the road to SOA – Part 2, Governance is fundamental Sparx releases new SoaML profile for Enterprise Architect 7.5 SOA implementation: It's the increments, stupid Bury SOA inside a larger architectural vision Enterprise Architecture in the Agile age - Part 1, Styles of EA SOA implementations Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Drupal  (SearchSOA.com) evergreen  (SearchSOA.com) Google Spreadsheets  (SearchSOA.com) meta tag  (SearchSOA.com) Prism  (SearchSOA.com) Rich Internet Application (RIA)  (SearchSOA.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary