File:DenimGroup AJAXSecurityHereWeGoAgain Content 20060829.pdf

Abstract: AJAX (or Asynchronous JavaScript And XML) is the hot new web programming technique being used to create rich Internet applications. By interacting with the server behind the scenes and updating web page DOMs, AJAX applications bring a new level of responsiveness to the web and opens exciting new possibilities for creating new classes of applications. The success of applications such as Google Maps and Flickr is a testament to the exciting potential AJAX techniques bring to the discipline of web application development.

Unfortunately many organizations implementing these techniques are doing so without considering the security implications on application design and development. Furthermore, because these techniques are so new the threats and countermeasures are not well understood. This presentation will give an explanation of AJAX techniques and will examine the underlying constructs and their behavior. Next it will examine how common web application vulnerabilities translate to AJAX environments well as new threats that are specific to AJAX applications. The presentation will conclude with a demonstration of "sprajax," an alpha-release open-source tool developed by Denim Group that analyzes web applications for potential security vulnerabilities exposed through the use of AJAX.

Presenter Bio: Dan Cornell is a Principal of the Denim Group, a Texas-based consultancy providing software development and application security services. He has extensive experience architecting and developing enterprise web applications on a variety of platforms as well as training and mentoring development teams on application security and secure coding techniques. Dan is the creator and primary author of the sprajax open source AJAX security assessment tool. He is an MCSD as well as a Java 2 Certified Programmer.