The web 2.0 concept is not sufficiently defined to allow a critical discussion of it, but we can discuss AJAX (asynchronous Javascript and XML). This concept, which underpins many web 2.0 sites, repackages and applies existing technologies to achieve a new structure for internet applications. Unfortunately, increased flexibility creates conditions for new security problems.

To understand how AJAX alters the security landscape for web application testing it is necessary to show the fundamental differences between it and traditional internet application models.

Traditional internet model
A web browser requests a webpage, normally indicating that the request is being processed by animating a logo and altering the status bar. Internet Explorer, for example, animates the chequered flag. Figure 1 summarises this interaction. When the user clicks on a link, an HTTP Get request is sent to the server. The web server deals with the request, and sends the web page to the client. If the client is to send information back to the server, another request is made following the same process. Under this synchronous ‘click-and-wait’ communication method, information is exchanged by requesting and receiving whole web pages. While waiting for the server, the user loses the focus of the application and cannot interact with it. This loss of focus has long been a source of dissatisfaction with traditional web applications, and if the wait for a round trip from the server is sufficiently long, users may leave the site.

The AJAX-enabled internet model
In this model a client requests a webpage. Once this full page is loaded, communication between the client and the server can be conducted in an asynchronous manner. This minimises the client’s waiting time, because only partial user interface update requests are made.

Download pdf The security risks of AJAX/web 2.0 applications