View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
April 12, 2007

Ajax security becomes urgent issue in enterprise web 2.0

Fortify Software has reported that Ajax applications, which underpin many mainly consumer-facing web 2.0 websites, are vulnerable to JavaScript highjacking, a form of cross-site request forgery. Clearly, security is a weak area in Ajax and a concerted effort is needed to improve awareness and understanding of the vulnerabilities and how to deal with them if enterprise web 2.0 is to succeed.

By CBR Staff Writer

The transfer of web 2.0 ideas to business-to-business applications, variously called enterprise 2.0 or enterprise web 2.0, is currently taking place with rich web applications (RWA) – browser-based rich internet applications – many of which use Ajax.

The root of the problem with security in RWA is the browser. The original browser was created to display world wide web pages containing hyperlinked documents. However, today, browsers are being pushed to their limits by RWA, and the security analysis done in those early days of the web did not envisage today’s advances, such as running an asynchronous channel in parallel with the standard HTTP request/response channel.

The consequence is that there are a number of tricky areas where it is easy for inexperienced developers to make mistakes. In principle, any of the languages used to write RWA are vulnerable to cross-site request forgery (CSRF) and a related problem called cross-site scripting (XSS), including Java Applets and ASP.NET. However, the ubiquitous presence of JavaScript due to web 2.0 Ajax usage has meant that the current focus of malicious software is JavaScript-based.

Ajax frameworks are increasingly being relied upon to provide safeguards against these problems, but as the Fortify study into JavaScript highjacking found, not all projects have the same level of protection. Of the projects tested, direct web remoting (DWR) had the best protection against these issues. DWR’s remoting framework integrates with other Ajax libraries like Tibco GI (which sponsors DWR) and Dojo that provide the user interface widgets. DWR can be used with most client-side Ajax frameworks and with Java on the server side.

The crucial issue is how the framework deals with the asynchronous traffic: many Ajax sites use JavaScript Object Notation (JSON), but this is vulnerable to JavaScript highjacking. A safer approach is to use XML, for example Backbase and Tibco GI use this approach. Another security issue is how the object through which the asynchronous traffic is invoked, XMLHttpRequest, is used to manage the XML communication. For example, both Backbase and Tibco GI are quite strict in this and can stop XSS problems.

Until a new generation of browsers appear that tackle the problem at its root, software developers will need to be aware that working with any RWA technology, including Ajax, requires an architectural approach that applies security at the application design level. In particular, JavaScript is being targeted by the black hats and Ajax developers are advised to use the safest frameworks available. The issue of security has also been mentioned by the OpenAjax Alliance (a cross-vendor organization dedicated to interoperable Ajax) as an area that needs addressing, so we hope to see security guidelines, and possibly standards emerge from this group.

Source: OpinionWire by Butler Group (

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.