Longtime readers will recognize my standard security mantra: convenience equals insecurity. Call me a security Luddite in that I believe it's sometimes better do things the long way around because shortcuts in computer software or Internet services most often leave you vulnerable. That sentiment seems to be shared by Billy Hoffman. He's a researcher at SPI Dynamics who, while criticizing businesses that race to deliver AJAX-enabled Web sites without regard to security, focused his two Black Hat
What is AJAX?
AJAX makes several hidden requests (albeit helpful requests), and if a given Web application isn't properly filtered, these additional requests could be used for malicious purposes.
To demonstrate the difference in the experience, Hoffman asked everyone to recall the pre-AJAX service MapQuest circa 2000, where if you wanted to zoom in on a city street, you had to wait for the new image to download and render on your machine. Contrast that experience with today's AJAX-rich map services, where images appear to expand in resolution fluidly, with no time delay. Behind the scenes, AJAX has requested additional images to be cached and readied in advance, without your instruction. And therein lines the potential for trouble: AJAX makes several hidden (albeit helpful) requests, and if a given Web application isn't properly filtered, these additional requests could be used for malicious purposes--for cross-site scripting, for example.
Life in a post-AJAX world
Before AJAX, a cross-site scripting attack could merely capture information about a site that a user visits. In the current AJAX-enabled world, says Hoffman, AJAX allows an attacker to actively hunt specific content, using the target site as point of departure. Before AJAX, an attacker was limited and Web application requests were often made blind, with the attacker unable to view the responses. With AJAX, an attacker can autonomously inject script into pages on a target site, reinject the same host with multiple XSSs, or send multiple requests using complex HTTP methods. With AJAX, the attack landscape has increased, especially if the Web server doesn't filter input from users.
Patch early and often
I'm not advocating that we return to the slow request-and-wait days of yore; I'm hooked on the relative ease with which I can surf around sites such as Google Maps. But the continued use of these sites underscores the need to keep your browser up-to-date.
Firefox just released version 188.8.131.52, and it will release another update in early September. These are pushed out automatically, so current Firefox users know when to apply them. Microsoft, however, doesn't do this. To get its updates, you will need to visit the Microsoft Update site or this recent cumulative security update for Internet Explorer (one caveat: you must be running either Windows 2000 or Windows XP; Microsoft will no longer patch legacy Windows systems, even for security vulnerabilities). When was the last time you updated your Internet browser? Talk back to me.