Developer

AJAX applications and security

Douglas Crockford, the creator of JSON, gave a talk entitled "AJAX Security" at the recent Web Directions South conference. In this talk, Crockford discussed some of the security concerns with AJAX applications and what can be done to address them.

Douglas Crockford, the creator of JSON, gave a talk entitled "AJAX Security" at the recent Web Directions South conference. In this talk, Crockford discussed some of the security concerns with AJAX applications and what can be done to address them.

Crockford emphasised that the main security concern with Ajax is the browser itself. The browser's security model is inappropriate for the Ajax applications of today. The popularity of Ajax has given rise to mashups, which has in turn introduced a new security risk. If your application uses scripts from more than one source, it is immediately insecure and can trigger an XSS attack as conflict of interest is not distinguishable within web pages, said Crockford. External sources, such as ads, widgets and AJAX libraries possess the same rights as the website's own scripts.

If an attacker manages to inject a script into your web page, they can:

  • Fetch more scripts from anywhere else
  • Send requests to your server, without it distinguishing that the request did not commence from your application
  • See what the user sees
  • Trick the user into giving information, as they are not aware that the request did not come from your application
  • Send information to any other servers
The object-capability model limits the number of ways the references are attained. These references or capabilities provide access to objects and allow objects to interact with each other.

A reference can be attained in the following ways:

  • Creation — attained by a function that creates an object
  • Construction — attained through an object's constructor
  • Introduction — a reference between two objects is achieved through a third object — also known as capability.
These are the only safe ways of obtaining references. If references can be obtained in any other way, your program is insecure.

The main problem with JavaScript is the global object. All scripts have the same rights and have full access to other scripts, which has been the cause of many XSS attacks.

Crockford proposed two possible solutions to the problem: JavaScript subsets and vats.

A JavaScript subset allows third-party code to execute, but eliminates potential security threats. Some examples of JavaScript subsets are Caja, Cajita and ADsafe — written by Crockford himself.

Vat architecture is an interesting concept whose aim is to make mashups more secure. The idea is to put different programs into containers or vats where they can run without interfering with each other. Restricted communication between the vats occurs via capabilities, to prevent any potential attacks. Apparently, Google Gears will provide a feature like this.

View the full presentation below:

Editor's Picks

Free Newsletters, In your Inbox