Hacking Web 2.0 Applications with Firefox
- By Matt Stephens
I foresee many readers sputtering into their morning coffee when I make the following statement, but here goes: One of the great benefits of AJAX is that a large proportion of the application logic is moved onto the client. Round-tripping between the server and the browser client are reduced; and the client can perform “sanity-checking” validation tasks without even touching the server.
So why the coffee sputtering? The security concerns raised by this “great trend” are many. If the same validation checks aren’t repeated on the server, then it becomes possible to “hack” the client (it’s only a web page after all, albeit a very clever web page) to send any old data back to the server, where the aberrant data will be accepted into the system without so much as a raised eyebrow.
Already, worms such as Yamanner, Samy and Spaceflash are exploiting “client-side” AJAX frameworks. Basically, if anything ventures outside your server, it can be rewritten, snooped, hacked and so on.
As I mentioned a few days ago, an excellent AJAX debugging tool is the Firebug plug-in for Firefox. This article on SecurityFocus.com illustrates step-by-step how to debug web applications from a security standpoint, using Firebug, and to automate simulated web browsing using another Firefox plugin, chickenfoot.
By being aware of the potential security threats looming over Web 2.0 apps, you can create dynamic/asynchronous web pages that are as “bulletproof” as it’s possible to be given the inherent insecurity of web-based applications.