Hi, my name's Brian Chess. I'm Chief Scientist of FortifySoftware, and today we're going to talk about AJAX and Security. AJAX standsfor Asynchronous JavaScript And XML. It's a cool new web technology that peopleare using to build much, much more rich user interfaces on the web. Google Mapsis a great example of AJAX at work.
So today we're going to talk about the security implicationsof using AJAX in your applications. So in order to tell the story, we've got togo back in time to 1988. We're going to talk about the very first worm thatever hit the internet. It was called the Morris Worm. Now in 1988, of course,programs on the internet were almost all written in the C programming language.And a big problem when you're writing in C is buffer overflows. So a programnamed Send Mail had a buffer overflow in it, and that buffer overflow tookadvantage of a function named Get S, which stands for Get String. So when youcall Get S, a bad guy can actually end up injecting code into your program. Andas security folks like to say, as soon as a bad guy can run their code on yourcomputer, it really isn't your computer anymore.
So now we're going to move forward to 2005, when theinternet met the MySpace worm. Now the problem with MySpace wasn't related to Cbecause MySpace isn't written in C. The problem with MySpace was related to JavaScript.And in JavaScript you can't have a buffer overflow but you can have a problemknown as cross-site scripting, sometimes abbreviated XSS. Now the issue here isthat when you've got a cross-site scripting problem, an attacker can, again,inject code that will then get executed in the browser.
Does it sound familiar yet? It's actually exactly the samething that happens when you run into a buffer overflow in a C program. So from1988 to 2005, what have we learned? Well, we still have problems with worms. Wedon't have problems as much anymore with C programs, but we have problems withJavaScript now. We don't have problems with buffer overflow, we've got problemswith cross-site scripting. So what the lesson programmers need to keep in mindis when they're doing cool and exciting new stuff like AJAX, it really doesn'tmatter whether they're programming in C or that they're programming in alanguage like JavaScript. You've got to keep security in mind.
