Testing for Security in the Age of Ajax Programming

Page 3 of 3
  1. Introduction
  2. It's in the Code
  3. Thinking like a Hacker

Thinking like a Hacker

In order to successfully defend against the hacker using SQL injection or some other attack, the QA engineer has to think like the hacker. Since the hacker doesn’t restrict himself to using just a browser to attack a web application (with or without Ajax programming), neither should the QA engineer use just a browser to test it. At a minimum, the application should be tested with the same type of raw HTTP tool that the hacker uses. An even better approach is to use an automated security analysis tool that performs these tests. Automated tools can make thousands of test requests in an hour; work that would take a QA engineer a week or more to perform manually. Additionally, these tools generally have an extensive set of techniques that they use to detect security defects such as SQL injection vulnerabilities QA engineers would unlikely be aware of these techniques unless they had a background in information security. There are several excellent security analysis tools available commercially. Additional resources for learning about web application security and security analysis tools include the Web Application Security Consortium (WASC), the Open Web Application Security Project (OWASP), and the SANS (SysAdmin, Audit, Network, Security) Institute.

It seems likely that Web applications using Ajax programming are the future of web development. The robust user interface that web pages comprised of Ajax programming can provide represents a huge leap in usability over traditional web pages. But, this power comes with a price: the programmers and QA engineers must move beyond browsers alone when testing the application. Security vulnerabilities can lurk in code that is accessible only by specialized low-level request tools. Hackers will be more than willing to use these tools against your web applications, so your QA team must use the same tactics to find the vulnerabilities first.

You might also like...


About the author

Bryan Sullivan United States

Bryan Sullivan is a development manager at SPI Dynamics, a Web application security products company. Bryan manages the

  • www.spidynamics.com
  • Interested in writing for us? Find out more.


    Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

    Our tools

    We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

    “Measuring programming progress by lines of code is like measuring aircraft building progress by weight.” - Bill Gates