I had a watch today on the webcast How Hackers Reverse Engineer and Exploit an Ajax Application. There wasn't any new security issue as we already should know as AJAX or web application developers. Samples did show how to hack the AutoComplete.asmx web service (using ASP.NET AJAX) which was used on a demo web application using SQL Injection.

But one thing I noticed was very interessting in the question and answers box in Microsoft Live Meeting during the webcast:

Question: If I secure WebServices using FormAuthentication, will it prevent Hacking Ajax WebService?
Answer: No necessarily, it will reduce hacking by users who do not have credentials, but will not unilaterally secure your app.

Question: Does normally a web service require a security key to call that can prevent attacker from calling it successfully?
Answer: not unless you specifically develop your app that way ?

Question: Ajax-Client see data as clear text, Is this easier to hack than what a user sees in browser as clear text? (specially by marlicious js code by hacker fro Mashup)
Answer: No - both are pretty easy ..

Question: Sorry, I missed the first 20 minutes of the webcast, are you saying that it is good or bad to use ASP.NET AJAX, security-wise?
Answer: Good - but like ALL dev technology, you need to be doing the right things in your code !!

Question: FireBug showed MS-Ajax AutoComplete uses POST while Google-Suggest uses GET, any security issue? or Just SOAP vs. REST, comment on POST vs. GET
Answer: No - also, SOAP is not used by defualt using MS AJAX

Are we really read for AJAX? Are you ready writing secure web applications? I feel very bad when I see how easy it is to find open webs. A simple search for user filetype:asmx on Google returned me a long list of web services where sometimes it was possible to get a list of usernames. While web services are still developed (sometimes) unsecure, are AJAX applications more secure, now?

4 Comments

• Anon said Thursday, January 25, 2007 6:24:01 PM

  So, are you against AJAX in general or is it just the ones that are not your own implemetation?

• Mark Wisecarver said Thursday, January 25, 2007 9:01:36 PM

  Ajax has already proven itself to me, 100% of the attacks/Spam have been thwarted for the past 4 months straight. I can't wait to start using it for more SQL Server 2005 operations, looking nifty there too.

• interactive said Thursday, January 25, 2007 9:41:25 PM

  @Anon: I'm againt using AJAX for everything and without any thought about security. I found too many web sites that are open for everybody. Developers should have a look more on security. This doesn't belong to any special framework or technology, every AJAX application (PHP, Java, ASP.NET,...) must be secure like common web applications without AJAX. AJAX is easier to hack than web applications, more structured. @Mark: Yes, AJAX itself is great, of course, I'm using it very often as you can imagine. But security is missing often, and I want to start an appeal to everybody! Michael

• Chris said Monday, January 29, 2007 3:23:35 PM

  What AJAX security principles do you recommend when building AJAX applications? Are there any online references/books on this?