The Internet industry is currently riding a new wave of investor and consumer excitement, much of which is built upon the promise of Web 2.0 technologies giving us faster, more exciting, and more useful web applications. One of the fundamental Web 2.0 is known as Asynchronous JavaScript and XML (AJAX), which is an amalgam of techniques developers can use to give their applications the level of interactivity of client-side software with the platform-independence of JavaScript.

Unfortunately, there is a dark side to this new technology that has not been properly explored. The tighter integration of client and server code, as well as the invention of much richer downstream protocols that are parsed by the web browser, has created new attacks as well as made classic web application attacks more difficult to prevent.

We will discuss XSS, Cross-Site Request Forgery (XSRF), parameter tampering, and object serialization attacks in AJAX applications, and will discuss our open source AJAX-based XSRF attack framework. We will also be discussing a security analysis of several popular AJAX frameworks, including Microsoft Atlas, Prototype, Java DWR, Dojo, and SAJAX.

The talk will include live demos against vulnerable web applications, and will be appropriate for attendees with a basic understanding of HTML and JavaScript.