The transfer of web 2.0 ideas to business-to-business applications, variously called enterprise 2.0 or enterprise web 2.0, is currently taking place with rich web applications (RWA) – browser-based rich internet applications – many of which use Ajax.
The root of the problem with security in RWA is the browser. The original browser was created to display world wide web pages containing hyperlinked documents. However, today, browsers are being pushed to their limits by RWA, and the security analysis done in those early days of the web did not envisage today’s advances, such as running an asynchronous channel in parallel with the standard HTTP request/response channel.
The consequence is that there are a number of tricky areas where it is easy for inexperienced developers to make mistakes. In principle, any of the languages used to write RWA are vulnerable to cross-site request forgery (CSRF) and a related problem called cross-site scripting (XSS), including Java Applets and ASP.NET. However, the ubiquitous presence of JavaScript due to web 2.0 Ajax usage has meant that the current focus of malicious software is JavaScript-based.
Ajax frameworks are increasingly being relied upon to provide safeguards against these problems, but as the Fortify study into JavaScript highjacking found, not all projects have the same level of protection. Of the projects tested, direct web remoting (DWR) had the best protection against these issues. DWR’s remoting framework integrates with other Ajax libraries like Tibco GI (which sponsors DWR) and Dojo that provide the user interface widgets. DWR can be used with most client-side Ajax frameworks and with Java on the server side.
The crucial issue is how the framework deals with the asynchronous traffic: many Ajax sites use JavaScript Object Notation (JSON), but this is vulnerable to JavaScript highjacking. A safer approach is to use XML, for example Backbase and Tibco GI use this approach. Another security issue is how the object through which the asynchronous traffic is invoked, XMLHttpRequest, is used to manage the XML communication. For example, both Backbase and Tibco GI are quite strict in this and can stop XSS problems.
Until a new generation of browsers appear that tackle the problem at its root, software developers will need to be aware that working with any RWA technology, including Ajax, requires an architectural approach that applies security at the application design level. In particular, JavaScript is being targeted by the black hats and Ajax developers are advised to use the safest frameworks available. The issue of security has also been mentioned by the OpenAjax Alliance (a cross-vendor organization dedicated to interoperable Ajax) as an area that needs addressing, so we hope to see security guidelines, and possibly standards emerge from this group.
Source: OpinionWire by Butler Group (www.butlergroup.com)
