Testing for Security in the Age of Ajax Programming

In order to successfully defend against the hacker using SQL injection or some other attack, the QA engineer has to think like the hacker. Since the hacker doesn’t restrict himself to using just a browser to attack a web application (with or without Ajax programming), neither should the QA engineer use just a browser to test it. At a minimum, the application should be tested with the same type of raw HTTP tool that the hacker uses. An even better approach is to use an automated security analysis tool that performs these tests. Automated tools can make thousands of test requests in an hour; work that would take a QA engineer a week or more to perform manually. Additionally, these tools generally have an extensive set of techniques that they use to detect security defects such as SQL injection vulnerabilities QA engineers would unlikely be aware of these techniques unless they had a background in information security. There are several excellent security analysis tools available commercially. Additional resources for learning about web application security and security analysis tools include the Web Application Security Consortium (WASC), the Open Web Application Security Project (OWASP), and the SANS (SysAdmin, Audit, Network, Security) Institute.

It seems likely that Web applications using Ajax programming are the future of web development. The robust user interface that web pages comprised of Ajax programming can provide represents a huge leap in usability over traditional web pages. But, this power comes with a price: the programmers and QA engineers must move beyond browsers alone when testing the application. Security vulnerabilities can lurk in code that is accessible only by specialized low-level request tools. Hackers will be more than willing to use these tools against your web applications, so your QA team must use the same tactics to find the vulnerabilities first.