Security of Java based AJAX frameworks

Unfortunately, while AJAX incorporates the best
capabilities of both thick-client and thin-client
architectures, it is vulnerable to the same attacks
that affect both types of applications. Thick-client
applications are insecure because they could be
decompiled and analyzed by an attacker. The same
problem exists with AJAX applications - in fact even
more so, because in most cases the attacker does not
even need to go to the effort of decompiling the
program. Knowing the attack surface and the
architectural weakness of a chosen AJAX framework
lays the foundation for a software architect to
design and develop secure and enterprise-ready AJAX
web applications. This paper does not only discuss
general vulnerabilities of AJAX-based web
applications, but reflects these in a real-world
example showing the attack surface for applications
built with state-of-the-art AJAX frameworks like
JBoss Seam and Google Web Toolkit. The findings of
this paper help software architects and developers to
get a practical understanding of potential attacks.
They are a contribution to increase the security of
web applications.

Autorentext

Being active in the Internet business since 2001, my professionalinterests are focused on development and design of secureenterprise applications based on Java technology. After finishingmy INFORMATION MANAGEMENT studies in 1999 I continued to focus onsecurity relevant topics and finished my second studies ADVANCEDSECURITY ENGINEERING in 2008.

Klappentext

Unfortunately, while AJAX incorporates the bestcapabilities of both thick-client and thin-clientarchitectures, it is vulnerable to the same attacksthat affect both types of applications. Thick-clientapplications are insecure because they could bedecompiled and analyzed by an attacker. The sameproblem exists with AJAX applications - in fact evenmore so, because in most cases the attacker does noteven need to go to the effort of decompiling theprogram. Knowing the attack surface and thearchitectural weakness of a chosen AJAX frameworklays the foundation for a software architect todesign and develop secure and enterprise-ready AJAXweb applications. This paper does not only discussgeneral vulnerabilities of AJAX-based webapplications, but reflects these in a real-worldexample showing the attack surface for applicationsbuilt with state-of-the-art AJAX frameworks likeJBoss Seam and Google Web Toolkit. The findings ofthis paper help software architects and developers toget a practical understanding of potential attacks.They are a contribution to increase the security ofweb applications.