AJAX Vulnerabilities != Web Services Vulnerabilities

AJAX is in the news. Not for being an exciting "new" (I disagree with this description and anyone who makes such a claim, for the record) technology but for its ability to potentially expose clients (browsers, really) to vulnerabilities. Forum Systems sent out an alert this week regarding AJAX through its Vulcon XML security alert service. It was picked up by everyone who follows not only Web 2.0 news, but Web Services as well.

The concern is not necessarily for the server, though the server side components of AJAX could potentially be exploited, but for the client. Because AJAX takes advantage of JavaScript to parse and excute commands on data coming back from the server, and because those functions are generally visible right in the source of the page, they are vulnerable to being exploited.

While a man-in-the-middle attack could potentially exploit the basic workings of AJAX, it's more likely that mean-spirited functionality would be planted on a server and the client somehow directed to the site, resulting in "bad" code maliciously doing something nasty to the user's system.

Opponents of Web Services might view this as yet another reason to stay away from such technology. But this isn't a Web Services problem, it's not a SOAP problem, nor is it really a server side problem. It's wholly on the client's shoulders at this point as the entire technology set must rely upon the scripting language available within the browser to implement the technology. The use of underlying objects accessible through JavaScript in the browser to accomplish this task are indeed ingenious - a much better solution than say using a DIV and an IFRAME and some PHP calls, although the result is strikingly similar.

The problem is that there aren't too many "free" or at least inexpensive alternatives. Although Adobe has announced it will freely distribute the SDK for its Flex 2.0 technology, which is not only asynchronous but also synchronous and utilizes a pub/sub model for bi-directional communication, only the SDK is free; the design-time environment will still cost ya a pretty penny, even if you're just trying to learn about the technology.Adobe's solution, however, does address concerns regarding security, as its client is Flash and is not nearly as expoitable as a browser executing Javascript. It has other issues, namely cost and time invested in learning its specific ECMA implementation and although Flash is nearly ubiquitous, it hasn't the market saturation of a browser, especially the versions required to handle Flex 2.0.

So is AJAX a security risk? Probably. But let's not drag Web Services in general into the picture, just because AJAX is one of the most commonly used SOA client at this time. It isn't Web Services that is at fault, nor SOA, but the technology being used to implement its precepts.

Adobe's Flex 2.0 SDK Beta 1 is available here right now.