New Web Technologies Such as AJAX Create New Security Challenges
Article by Rick Leinecker, June 3, 2007

It's the holy grail of Web developers: create a Web application that is rich and attractive, yet responsive. Those two goals give results at opposite ends of the spectrum. Web sites with rich content look attractive with their many graphical resources, but this slows down the page load time and can make the page response sluggish. The typical way to make a Web site more responsive is to remove unnecessary items such as graphics and sound. So these two goals of rich content and responsive Web sites become a balancing act that Web developers must carefully manage.

A new paradigm entered the scene several years ago. It's known as "Asynchronous JavaScript and XML", or AJAX for short. It's a new technology that essentially marries an old technology known as JavaScript with a newer technology known as Extensible Markup Language (XML). Together, these technologies comprise the AJAX technology. And the new, resulting technology gives developers a new tool for creating rich Web sites with reasonable response time.

I won't go into any technical details. But I do want to give you the single largest reason for the success of AJAX. It allows Web developers to treat sections of Web pages as separate entities. In the past Web developers had to treat an entire page as a single entity. Now, a button click can respond to the user and deliver content for a small part of the page without having to refresh the entire screen.

Okay, that's nice, but what does this have to do with computer security? As with any new technology, there are always unknown risks that it initially carries. And AJAX contains its share of security vulnerabilities. What has been referred to as a "pervasive and critical" vulnerability has been documented. It gives an attacker the ability to steal critical data from servers by emulating unsuspecting users. The vulnerability - which allows an exploit called JavaScript Hijacking - can be found in the biggest AJAX frameworks out there, including three server-integrated toolkits: Microsoft ASP.Net AJAX (aka Atlas), Google Web Toolkit and xajax.

The threat targets servers and not client machines (which is the category into which almost all home users fall into). But there may be a vulnerability discovered at a later date that threatens home users, too. Does this mean we should shun AJAX-enabled Web sites. No. Computer security is always a managed risk. You can't guarantee 100 percent safety. Your best defense is to make sure your computer automatically downloads updates. You can also occasionally search Google for "JavaScript security" or "AJAX security". Any new threats will surface as an article, and you can determine your best course of action.

AJAX is a net gain for Web users. It delivers on its promise of richer Web sites with better response. And the security vulnerabilities are being discovered and fixed. For me, the benefits far outweigh the risks. You can take a look at some AJAX examples by visiting the link at http://webdeveloper.econsultant.com/ajax-demos-examples-code-samples/.

Those are the basics of AJAX and the potential security risks.