Library tutorials & articles
Testing for Security in the Age of Ajax Programming
- Introduction
- It's in the Code
- Thinking like a Hacker
Introduction
Ajax programming is one of the most exciting new technologies in recent history. Ajax (Asynchronous Javascript and XML) allows a web page to refresh a small portion of its data from a web server, rather than being forced to reload and redraw the entire page as in traditional web programming. Since they can make frequent, small updates, web applications written with Ajax programming can present user interfaces that are more like desktop applications, which are more natural and intuitive interfaces for most users. However, just like Uncle Ben said to Peter Parker (aka Spider-Man™)1, with great power comes great responsibility. Web applications have become prime targets for malicious users and hackers performing SQL injection and similar attacks.
The flexibility and creativity that Ajax programming affords the developer also places a corresponding burden on him to ensure that his code is secure against these new threats. Also, since delivering a secure application is part of delivering a quality application, the burden is probably felt even greater by the Quality Assurance (QA) team. The QA team will now need to develop an entirely new set of functional, performance and security testing methods in order to thoroughly test the quality of applications using Ajax programming against SQL injection attacks and other security concerns.
Bryan Sullivan is a development manager at SPI Dynamics, a Web application security products company. Bryan manages the DevInspect and QAInspect Web security products, which help programmers maint...
Related articles
Related discussion
-
Anyone needing Application Security Testing?
by jaggudada (1 replies)
-
AJAX: SimpleWebServices is not defined
by Freon22 (2 replies)
Related podcasts
-
Beyond Ajax - Java Rich Internet Applications
AJAX is great for many applications, but not for all. When applications get large, need to scale, or require superior security, Java-based Rich Internet Applications (RIA) are preferable. There is a simple reason for this: Java offers the most advanced, most standardized, and most reliable cr...
Events coming up
-
Aug
4
Core Ajax: Enterprise Web Development with Ajax
London, United Kingdom
This intensive, 4-day Core Ajax training course teaches a scalable way of writing robust, user-friendly and secure Ajax solutions for the Enterprise.We will start by introducing Ajax from a business, design and coding perspective. We will then l...
It looks like there is no flaw in the Ajax model, for the example you mentioned could have been tried with the Non-Ajax Model also and still the application could have been suspectible to Sql Injection attack, which is a basic attack, the basic flaw that i saw was the programmer should have used the Parameterized commands instead of inline sql queries or better still the 3-Tier Architecture using Parameterized commands, which the most basic and common-sense approach to develop Web Applications.
I don't think that having Ajax will save the programmer from the Sql Injection Attack!
because Ajax was not designed to secure the programmer from these attacks. I think it is stupid to even think in this directions,...."... that why the application is still suspectible to Sql Injection attack, even though i had Ajaxified it?.
Ajax or No Ajax, First, the programmer should always get his basics clear!
I really liked the spirit and the language of the article, thanks for this nice article.
Regards,
Mahernoz
This thread is for discussions of Testing for Security in the Age of Ajax Programming.