![Black Hat Briefings, USA 2007 [Video] Presentations from the security conference. show](https://d3dthqtvwic6y7.cloudfront.net/podcast-covers/000/047/359/small/black-hat-briefings-usa-2007-video-presentations-from-the-security-conference.jpg)
Summary: Interest in Ajax is sky-high and only continues to grow. Unfortunately, far too many people rush into Ajax development without giving proper consideration to security issues. These unfortunate individuals suffer from the most embarrassing of security issues: Premature Ajax-ulation. This presentation will demonstrate specific Ajax application design flaws that stem from a disregard for security, including: Improper use of client-side XSLT; Use of overly- or underly-granular server-side APIs; and Storing secrets (either data or functionality) in client-side code. We will also perform live demonstrations of exploits of these vulnerabilities, including: Vastly more efficient Blind SQL and Blind XPath injection techniques; Detecting and exploiting race conditions; and Applying static analysis to deobfuscate client-side JavaScript. Given the popularity of Ajax and the ease of use of framework helper libraries, it can be very tempting for developers to use Ajax when it's not really necessary. This is a significant security risk in itself, since Ajax applications can be more difficult to secure than traditional Web applications. Furthermore, the use of third-party frameworks can actually make the problem worse, since they hide potential security issues without truly resolving them. We will address these issues, make recommendations on which Ajax frameworks to avoid, and make recommendations on when to avoid Ajax altogether. Following the design and implementation guidelines set out in this presentation will help you to delay your Ajax gratification to provide the highest level of security satisfaction for you and your partners.
