Hacking Web 2.0 Applications with Firefox -- ADTmag

Hacking Web 2.0 Applications with Firefox

By Matt Stephens
October 19, 2006

I foresee many readers sputtering into their morning coffee when I make the following statement, but here goes: One of the great benefits of AJAX is that a large proportion of the application logic is moved onto the client. Round-tripping between the server and the browser client are reduced; and the client can perform “sanity-checking” validation tasks without even touching the server.

So why the coffee sputtering? The security concerns raised by this “great trend” are many. If the same validation checks aren’t repeated on the server, then it becomes possible to “hack” the client (it’s only a web page after all, albeit a very clever web page) to send any old data back to the server, where the aberrant data will be accepted into the system without so much as a raised eyebrow.

In fact, all sorts of network data can be hacked: query parameters that are going to be applied to a database query are subject to an SQL injection attack (note that SQL injection attacks affect “boring” Web 1.0 webapps just as much as their shiny 2.0 successors). Web pages that import JavaScript libraries may be exposing more application logic to the browser than they need to: so the wily user could discover all sorts of snippets of information about the application, just by browsing the JavaScript files that have been so kindly handed to them.

Already, worms such as Yamanner, Samy and Spaceflash are exploiting “client-side” AJAX frameworks. Basically, if anything ventures outside your server, it can be rewritten, snooped, hacked and so on.

As I mentioned a few days ago, an excellent AJAX debugging tool is the Firebug plug-in for Firefox. This article on SecurityFocus.com illustrates step-by-step how to debug web applications from a security standpoint, using Firebug, and to automate simulated web browsing using another Firefox plugin, chickenfoot.

By being aware of the potential security threats looming over Web 2.0 apps, you can create dynamic/asynchronous web pages that are as “bulletproof” as it’s possible to be given the inherent insecurity of web-based applications.

About the Author

Matt Stephens is a senior architect, programmer and project leader based in Central London. He co-wrote Agile Development with ICONIX Process, Extreme Programming Refactored, and Use Case Driven Object Modeling with UML - Theory and Practice.

Featured

AppTrends

Email Address*Country*

Please type the letters/numbers you see above.

Upcoming Training Events

0 AM

Visual Studio Live! Chicago
April 29-May 3, 2024

VSLive! 2-Day Training Seminar: Building Cloud-Ready, Resilient Systems in .NET
June 4-5, 2024

VSLive! 4-Day Hands-On Training Seminar: Full Stack Hands-On Development with .NET (Core)
July 16-19, 2024

Visual Studio Live! Microsoft HQ
August 5-9, 2024

Live! 360 2-Day Hands-On Seminar: Swimming in the Lakes of Microsoft Fabric and AI - A Hands-on Experience
August 20-21, 2024

VSLive! 4-Day Hands-On Training Seminar: Hands-on with Blazor
September 17-20, 2024

VSLive! 2-Day Hands-On Training Seminar: Developing Secure ASP.NET Web Apps
September 24-25, 2024

Live! 360 Orlando
November 17-22, 2024

VSLive! 4-Day Hands-On Training Seminar: Full Stack Hands-On Development with .NET (Core)
December 10-13, 2024

Free White Papers

More Tech Library