Are we ready for AJAX?

Michael Schwarz on Thursday, January 25, 2007

I had a watch today on the webcast How Hackers Reverse Engineer and Exploit an Ajax Application [1]. There wasn't any new security issue as we already should know as AJAX or web application developers. Samples did show how to hack the AutoComplete.asmx web service (using ASP.NET AJAX [2]) which was used on a demo web application using SQL Injection.

But one thing I noticed was very interessting in the question and answers box in Microsoft Live Meeting during the webcast:

Question: If I secure WebServices using FormAuthentication, will it prevent Hacking Ajax WebService?Answer: No necessarily, it will reduce hacking by users who do not have credentials, but will not unilaterally secure your app.

Question: Does normally a web service require a security key to call that can prevent attacker from calling it successfully? Answer: not unless you specifically develop your app that way ?

Question: Ajax-Client see data as clear text, Is this easier to hack than what a user sees in browser as clear text? (specially by marlicious js code by hacker fro Mashup) Answer: No - both are pretty easy ..

Question: Sorry, I missed the first 20 minutes of the webcast, are you saying that it is good or bad to use ASP.NET AJAX, security-wise? Answer: Good - but like ALL dev technology, you need to be doing the right things in your code !!

Question: FireBug showed MS-Ajax AutoComplete uses POST while Google-Suggest uses GET, any security issue? or Just SOAP vs. REST, comment on POST vs. GET Answer: No - also, SOAP is not used by defualt using MS AJAX

Are we really read for AJAX? Are you ready writing secure web applications? I feel very bad when I see how easy it is to find open webs. A simple search for user filetype:asmx [3] on Google returned me a long list of web services where sometimes it was possible to get a list of usernames. While web services are still developed (sometimes) unsecure, are AJAX applications more secure, now?