The explosion of AJAX-enabled Web sites and applications has raised security concerns about this dynamic, XML-based technology. Most scripting technologies are restricted to the server or the client--not both, as is the case with Asynchronous JavaScript and XML. Combining scripting on both the client and server would be problematic enough with the introduction of dynamic URLs and data in both environments, but when these elements join with XML and a SOA-like execution paradigm, security concerns are serious. XML security vendor Forum Systems, for example, issued an AJAX security alert earlier this year, and version 2.1 of the Open Web Application Security Project Guide will include a chapter on AJAX.

Cenzic, a long-time player in the application security field, has updated its Hailstorm vulnerability-assessment tool to include the ability to scan AJAX-enabled applications for a wide range of security weaknesses. Though Hailstorm remains Web-focused and does not include many of the top 10 XML/SOA-specific vulnerabilities, the tool is able to discover vulnerabilities that even its SOA security-focused counterparts may not be able to root out. This is largely due to AJAX's reliance on the browser's scripting capabilities. Security enforcement products such as Forum Systems' XWall and Sentry, Reactivity's XML Security Gateway and Layer 7 Technologies' Secure- Span XML Gateway don't account for such factors as session management and security, because they don't interact with the browser. A pairing of Hailstorm with any of these XML/SOA-specific security tools would constitute a complete Web 2.0 and SOA security strategy.

No Single Solution

No vulnerability assessment product finds all the holes in AJAX, SOAP and conventional Web apps. But Hailstorm competitors such as SPI Dynamics' WebInspect and Watchfire AppScan Audit have long been able to scan for Web application vulnerabilities to SQL injection attacks and buffer overflows in Web services and XML, and they're ahead of Cenzic in their ability to seek out SOA vulnerabilities. However, the rivals - with the exception of SPI Dynamics - don't address AJAX issues, such as authentication and authorization of dynamic links to scripts on the server; nor do they handle session-based vulnerabilities as well as Hailstorm.

Hailstorm's AJAX-specific security assessment capabilities are available as an update to the latest version. There's not much outward indication of the product's AJAX support other than the ability to edit AJAX request formats in the same way it offers editing of SQL injection strings. Hailstorm scans for AJAX vulnerabilities whenever it encounters an AJAX-enabled site. The product must be configured to test for security holes relevant to the technology, such as SQL injection, authentication and authorization, and a limited number of XML structural vulnerabilities.

Hailstorm does not perform signature-based scans. Instead, the program uses its internal Firefox browser to detect errors based on actual responses received. With AJAX-enabled sites, Hailstorm performs a complete XML structural analysis of the pages. First, the product retrieves pages with appropriate data, then it purposefully injects errors into the requests and evaluates the response based on the original correct response. This technique lets Hailstorm detect vulnerabilities that allow attacks such as privilege escalation, which generally appear on a page as additional options that are structurally correct.

The use of an internal browser lets Hailstorm perform session-based assessments of vulnerabilities such as session hijacking, which cannot be discovered using signature-based scans. There are drawbacks, however, to using its Firefox browser as the medium for vulnerability assessment, as it is unable to detect security holes in VBScript or Microsoft-specific technologies like ActiveX. As a workaround, Hailstorm provides a proxy-based scan that employs Internet Explorer for these technologies.

The Dirt on AJAX Security

In our tests, Hailstorm correctly detected a wealth of conventional vulnerabilities. When we directed Hailstorm to scan live sites that use AJAX, the product discovered several authentication and authorization vulnerabilities. These holes were no surprise to us. Most AJAX-enabled sites are implemented with no real thought about security. AJAX developers aren't aware of the need for authorization at the function level; instead, they authorize access only at the application level. The number of dynamically generated URLs and the core mechanism through which AJAX communicates with back-end servers provide many opportunities for anyone bent on hacking a site.

Hailstorm only detects vulnerabilities, though its explanations and thorough remediation options would help address security holes in both AJAX and conventional Web applications. XML and SOA security vendors such as Forum Systems, Layer 7, Reactivity and DataPower focus on SOAP security, but have also always been able to secure pure XML over HTTP. In other words, once Hailstorm identifies the vulnerabilities, you have several product-based remediation options beyond tossing the app back to the developers.

Hailstorm is offered as a software solution with both user and application pricing models, and as a managed service called ClickToSecure, which is priced on a per-application basis. Both models can be purchased as subscriptions or on a perpetual basis. ClickToSecure subscribers can seamlessly migrate from the Software as a Service solution to a corporate deployment at any time. Pricing is comparable to Teros (recently acquired by Citrix) and SPI Dynamics' WebInspect, and the inclusion of AJAX-specific functionality makes it worth the price.

Lori MacVittie is a Network Computing senior technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].