However, as with all applications, ajax ones are vulnerable to attack; using ajax on your website won’t make you any more or less susceptible to cybercrime or malware attacks, for example.
The key to protecting yourself and your ajax applications from attack is to be aware of the vulnerabilities, and to take preventative action to prevent such attacks occurring.
What are the most common attacks and what preventative measures can you take?
Browser-based Attacks
This happens when a cybercriminal or hacker is able to get into the JavaScript of a website and run a variety of codes. A browser-based attack might take many forms, such as planting a virus on the system of anyone to access it, or redirecting pages of the website, usually the homepage, elsewhere.
The worst browser-based ajax attacks are designed to prevent malware from being accessed, meaning anyone falling victim to this has the double-whammy of not being able to do anything about their problem.
The easiest way to prevent this particular problem is to stop using JavaScript, but in doing so you’ll be removing the potential for potentially thousands of applications to run on your site. Instead, ensure firewalls and any software you use for your website is kept up to date, as these will feature the latest fixes and other security updates.
Cross-site Scripting (XSS)
XSS is an example of injecting malicious code into your site, which is then passed onto browsers without them realizing. Criminals and hackers might use XSS for various instances of cyber-fraud, including identity and data theft, the stealing of other confidential information, including company financial records, spying on users’ internet use, and more. This is clearly something that all website owners want to avoid hitting their website, as it has the potential to ruin their reputation as well as cost them a lot of money. Twitter was famously hit by an XSS attack in 2010.
There are several steps ajax developers can take to reduce the risk of XSS affecting them, including:
- Not using backslash encoding
- Using JavaScript hex and Unicode
- Using JSON.parse or json2.js libraries to parse JSON
Ajax Bridging
Ajax bridging is not a problem in itself, but there are vulnerabilities that can have catastrophic consequences if not protected against. The problem comes with websites that host third-party applications on their own website, hence ‘ajax bridging’ from one site to another.
Attacks, including XSS, can pass through these applications, meaning if you’re hosting an application that links to a site that has been attacked, you may be attacked, too. Hackers and criminals who target specific sites often use this method if they have been unable to exploit any other vulnerability, either within ajax or any other types of applications.
While the obvious solution might appear to be to avoid ajax bridging, it may be the case that it is a necessary feature of your website. With that in mind, ensure you audit any third party website that can access your own, and take steps to assure yourself their security features heavily minimize the likelihood of attack. Use scanning software, too, and ensure you can trust any website before you allow them to access your data or browsers.
Dealing with Ajax Vulnerabilities
The biggest thing to remember with ajax vulnerabilities is that they don’t present anything unique in terms of cyber-security, so can all be dealt with relatively easily. However, as with things such as SEO, it has to be stressed that dealing with ajax issues isn’t something that you merely do once; it is an on-going process that should be a central part of your web auditing and development. Having it on your agenda will ensure that, as your website grows, you’re always able to deal with any potential issues before they have the opportunity to occur.
ABout The Author:
Robert McKinley is an online technology expert who specializes in security, specifically with regards to online applications, VPS hosting and other web hosting solutions, third-party plug-ins, and online data protection.
