SlideShare a Scribd company logo

Ajax Security Dangers

D
drkimsky

This document discusses security issues with Ajax web applications. It describes how Ajax applications have a larger attack surface than traditional web applications due to additional entry points. This exposes the application to risks like information leakage through revealing internal functions, as well as risks from cross-site scripting and repudiation of requests. The document recommends approaches to secure Ajax applications.

1 of 8
Downloaded 49 times
1
2
3
4
5
6
7
8
Ajax security dangers White paper
Table of contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Problems with traditional web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Ajax web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Security issues for Ajax web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Increased attack surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Information leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Repudiation of requests and cross-site scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Ajax bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Hype about Ajax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Introduction Ajax web applications With the growth of Web 2.0 and the movement towards Ajax is an acronym for Asynchronous JavaScript and a more interactive and responsive web, many applica- extensible markup language (XML). It is not a program- tions now employ Ajax, a collection of technologies that ming language or technology but a grouping of other has received a large amount of publicity and is being technologies that improves web application performance. quickly adopted by developers and corporations. While In Ajax web applications, the response time between Ajax can greatly improve the usability of a web applica- the client request and the server response is reduced.1 tion by improving its responsiveness and flexibility, it can This reduction is accomplished by exchanging small also create several attack opportunities if the application amounts of data between the user’s browser and has not been designed with security in mind. This white the server without refreshing the web page with paper describes the difference between traditional and each response. This design can drastically improve Ajax web applications, the benefits of the Ajax method- response time. ology, its security concerns and recommendations for securing web application development. In Ajax applications, JavaScript plays a larger role than in traditional web applications. At the beginning of Problems with traditional a session, the browser loads an Ajax engine, usually written in JavaScript, along with a web page. The engine then displays the web page that the user sees and web applications communicates the user’s requests back to the server. The presence of the Ajax engine lets the user interact with In traditional web applications, the browser typically the application without constantly refreshing the page.2 refreshes the entire web page when it receives a response from the server. This design often results in The Ajax engine sends Hypertext Transfer Protocol long pauses from when the client sends a request to (HTTP) requests to the server asynchronously. Therefore, the Internet to when the server returns a response, the application continues to respond to user events negatively affecting performance. and interaction while the server processes the request. When the client receives the response, the engine manipulates the document object model (DOM) to present the results to the user. Figure 1 shows the Ajax web application model. 1 The actual time between the client request and the server response only appears to be reduced. Ajax does not affect the server-side processing time. Its benefit is that Ajax provides the appearance of a more responsive website. 2 For more information about Ajax, see the essay, Ajax: A New Approach to Web Applications, from adaptive path. 3
Figure 1: Ajax web application model Ajax web application Server JavaScript logic layer Server Back-end Internet logic processes An Ajax web application, however, sends many small Security issues for Ajax requests, which create more inputs into the application. These inputs, sometimes called Ajax endpoints, provide web applications more ways for attackers to get into the application. Using the house analogy, the two stories now have While Ajax can greatly improve the usability of a web windows in addition to the front and back doors. The application, it can also create several opportunities for doors can be locked, but attackers now have many possible attacks if the application is not designed with windows that they can break into and enter. The doors security in mind. As Ajax web applications exist on are no longer of consequence. both clients and servers, they include the following security issues: Information leakage • Creating a larger attack surface with more inputs The JavaScript in the Ajax engine traps the user to secure commands and sends function calls to the server. The • Exposing internal functions of the web application following are examples of user commands: server • Return the price for product ID 24. • Allowing a client-side script to access third-party resources with no built-in security mechanisms • Return valid cities for a given state. • Return the last valid address for user ID 78. This section describes these security concerns in more detail. • Update a user’s age in a database. Function calls provide “how to” information for each Increased attack surface user command. This information places an attacker Unlike traditional web applications, which exist almost inside the application. From this vantage point, the entirely on the server, Ajax applications extend across attacker possesses function names, variable names, the client and server. Such implementations require function parameters, return types, data types and a trust relationship between the client and server— valid data ranges. a relationship that attackers can exploit. Figure 2 shows an attacker virtually inside an Ajax You can compare a traditional web application to web application. a two-story house with no windows and only two ways to get in: a front door and a back door. Attackers have only two ways to break into the house. 4
Figure 2: An attacker is virtually in an Ajax application. Ajax web application Server JavaScript logic layer Server Back-end Internet logic processes Repudiation of requests and cross-site Injecting and propagating XSS With traditional web applications, attackers manually scripting (XSS) inject and propagate XSS. Attackers can typically inject Browser requests and Ajax engine requests look identical. only one part of a website with reflection-based XSS, The server cannot discern a request made by JavaScript such as including scripts in an e-mail link, or stored and a request made in response to a user action. XSS, such as saving the script as an entry in a back- Therefore, it is difficult for users to prove that they did end database. not perform certain actions. With Ajax applications, XSS can propagate like a virus. Using Ajax, JavaScript can also send a request for The XSS payload can use Ajax requests to automatically resources in the background without users knowing. inject itself into pages and reinject the same host with The browser automatically adds the necessary authen- more XSS. This can occur with no hard refresh. Thus, tication or state-keeping information, such as cookies, XSS can send multiple requests using complex HTTP to the request. JavaScript code can access the response methods to propagate itself invisibly to the user. Several to the hidden request and send additional requests. examples have already surfaced. This expansion of JavaScript functionality increases the In October 2005, a member of MySpace.com created possible damage of a cross-site scripting (XSS) attack. a profile that included a self-propagating worm, known XSS is the injection of script, such as JavaScript or as the Samy worm, making it the first public use of XSS VBScript, into the page that a user’s browser receives. and Ajax. When a user viewed the profile, the worm The script is then executed from the browser, exposing code automatically added the viewer to Samy's “friends” the user to a variety of threats, such as cookie theft list. The worm code was also copied into the victim's (session hijacking and information leakage), keystroke profile, so that when another user viewed the victim's logging, screen scraping and denial of service attacks. profile, the infection spread. Ajax amplifies XSS In June 2006, the Yamanner worm infected Yahoo's With Ajax, XSS can make malicious requests with popular web mail service. The worm, using XSS and a user’s credentials without refreshing the web page. Ajax, took advantage of a vulnerability in Yahoo mail's Such activity can increase the potential for damage onload event handling. When a user opened an and theft of information. With traditional web applica- infected e-mail, the worm code executed its JavaScript tions, most information thefts occur with passive screen and sent a copy of itself to the infected user’s Yahoo scraping. The malicious script can secretly read the contacts. The infected e-mail carried a spoofed 'From' contents of the HTML only from the page that the user address that was randomly added from the infected is currently viewing. This content can then be sent to the system, making the malicious e-mail appear that it attacker. Using Ajax, an XSS attack can send requests came from a known source. for pages other than the page that the user is currently It took only eight months for XSS and Ajax worms to viewing. This lets the attacker actively “hunt” for certain develop from proofs of concept to full-fledged, malicious content and potentially access resources and data not attacks. Attackers are aware of this vulnerability. available through passive scraping. 5
Ajax bridging In this example, an attacker can do several things. To copy the entire author database from majorbook- For security purposes, Ajax applications can only connect store.com, the attacker can issue thousands of queries to the websites from which they come. For example, to the Ajax bridge running on securitybooks.com. JavaScript with Ajax downloaded from Yahoo cannot The relationship between the two websites allows connect to Google. To contact third-party sites, the Ajax the attacker to extract more data by going through service bridge was created. In a bridge, a host provides securitybooks.com than by using a free account from a web service that acts as a proxy to forward traffic majorbookstore.com. securitybooks.com can cache the between the JavaScript running on the client and the results it receives from majorbookstore.com to limit the third-party site. A bridge provides a “web service to number of queries it has to make, reduce bandwidth web service” connection. Many web frameworks, such and improve performance. As the attacker’s query may as Microsoft® ASP.NET AJAX, support Ajax bridging. be in the cache already, the attacker may be able to Custom solutions using PHP or common gateway extract data faster by using securitybooks.com. interface (CGI) programs can also provide bridging. An attacker can also send malicious requests through An Ajax bridge can connect to any web service on any the Ajax bridge from securitybooks.com to majorbook- host, using protocols such as Simple Object Access store.com. The bridge is another layer for the attacker Protocol (SOAP) and representational state transfer to hide behind. Normal business transactions can also (REST). Bridges can also connect to a custom web be hampered if an intrusion prevention system (IPS) service and arbitrary web resources, such as rich site at majorbookstore.com detects the malicious requests summary (RSS) feeds, HTML, Flash and binary content. coming from the securitybooks.com IP address and Security issues with bridges then automatically blocks all requests from security- Ajax bridges introduce several major security issues. books.com. An attacker may try to launch a structured For example, an Ajax-enabled, online book store called query language (SQL)SQL injection or an XSS attack securitybooks.com wants to access some of the web against majorbookstore.com but instead cause a denial services that majorbookstore.com provides, such as an of service attack against all securitybooks.com users. author search or genre recommendation service. To do The majorbookstore.com may not detect the attack being this, securitybooks.com sends JavaScript code over an relayed through the Ajax bridge. This may happen if Ajax bridge to majorbookstore.com. Although anyone majorbookstore.com does not review the requests it can get a free account to access majorbookstore.com’s receives from securitybooks.com for malicious content web services, the free accounts have limited privileges: as closely as the requests from other sites. The two The number of unique queries, simultaneous queries and parties have a partnership, and significant traffic hits per second is set low. A formal partnership agreement comes to marjorbooks.com from securitybooks.com. between the two companies allows securitybooks.com In this case, majorbooks.com web services are vulner- to access majorbookstore.com with fewer restrictions. able only if the attacks use securitybooks.com as an intermediary. 6
Hype about Ajax Recommendations Ajax and its effects on the Internet have received much publicity recently. Companies with complex web If you are considering converting a business application applications, such as MySpace.com, del.icio.us, and into a web application, ask the following questions: Writely.com, have been purchased for millions of • Should the application be a web application? dollars. Many conferences about Ajax and Web 2.0 • What do you gain by the conversion? applications have occurred all over the world. The hype about Ajax, however, has its own security ramifications. • Should the web application be an Ajax web application? First, the hype is driving programmers into the web application field. These novices often use “cut-and- If you decide to develop a web application, whether paste” application development to add functionality to traditional or Ajax, follow these recommendations: their projects without fully understanding the potential • Document the inputs that are allowed in your consequences. Most of these programmers are unfa- application. miliar with the security nuances of developing web • Validate all input before processing it. applications. This influx of programmers decreases the • Use white listing rather than black listing for validation. knowledge of those in the field. In turn, more technical White listing means you accept what you know is articles, computer books and online forums are targeted good data, while black listing uses a list of data that at novices. Ultimately, a small number of experts can is not allowed. For example, you know that a ZIP provide authoritative answers to an expanding audience. code should always have five numbers. White listing Second, the demand for these sophisticated web applica- the ZIP code input means only accepting five numbers, tions is causing some companies to embrace client-side nothing else. web applications. Often companies want to appear state • Always use the Secure Socket Layer (SSL) protocol to of the art, fend off start-up competitors or provide new transmit sensitive data, such as log-in credentials or front-end capabilities that their users will enjoy. Many bank account numbers. of these companies do not consider whether their applications should be web applications, let alone Ajax If you decide to retrofit your current web application or web applications. design a new one with Ajax, you should reduce the exposed program logic. 7
To learn more, visit www.hp.com/go/software © Copyright 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. 4AA1-5388ENW, October 2007

More Related Content

PDF
AJAX: How to Divert Threats
Cenzic
 
PDF
AJAX Security - LAC2016
Julia Logan a.k.a. IrishWonder
 
PPT
Ajax Security
Roberto Suggi Liverani
 
PPTX
Dzhengis 93098 ajax - security
dzhengo44
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PDF
Become a Security Ninja
Paul Gilzow
 
PPTX
Web Hacking Intro
Aditya Kamat
 
PPTX
Browser Security 101
Stormpath
 
AJAX: How to Divert Threats
Cenzic
 
AJAX Security - LAC2016
Julia Logan a.k.a. IrishWonder
 
Ajax Security
Roberto Suggi Liverani
 
Dzhengis 93098 ajax - security
dzhengo44
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Become a Security Ninja
Paul Gilzow
 
Web Hacking Intro
Aditya Kamat
 
Browser Security 101
Stormpath
 

What's hot (20)

PPT
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PPTX
Web application attacks
hruth
 
PPTX
RSA Europe 2013 OWASP Training
Jim Manico
 
PPT
Hacking web applications
Adeel Javaid
 
PPTX
Spring Security
Boy Tech
 
PDF
Securing Web Applications with Token Authentication
Stormpath
 
PDF
2013 OWASP Top 10
bilcorry
 
PDF
Common Web Application Attacks
Ahmed Sherif
 
PPTX
Build A Killer Client For Your REST+JSON API
Stormpath
 
PPTX
Web application attack Presentation
Khoa Nguyen
 
PDF
Secure Web Services
Rob Daigneau
 
PPTX
Secure Your REST API (The Right Way)
Stormpath
 
PDF
Owasp top 10 2013
Edouard de Lansalut
 
PPTX
Token Authentication for Java Applications
Stormpath
 
PPTX
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
PPTX
Building Layers of Defense with Spring Security
Joris Kuipers
 
PPTX
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
PPTX
Access Control Pitfalls v2
Jim Manico
 
PPTX
Web Security Attacks
Sajid Hasan
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Web application attacks
hruth
 
RSA Europe 2013 OWASP Training
Jim Manico
 
Hacking web applications
Adeel Javaid
 
Spring Security
Boy Tech
 
Securing Web Applications with Token Authentication
Stormpath
 
2013 OWASP Top 10
bilcorry
 
Common Web Application Attacks
Ahmed Sherif
 
Build A Killer Client For Your REST+JSON API
Stormpath
 
Web application attack Presentation
Khoa Nguyen
 
Secure Web Services
Rob Daigneau
 
Secure Your REST API (The Right Way)
Stormpath
 
Owasp top 10 2013
Edouard de Lansalut
 
Token Authentication for Java Applications
Stormpath
 
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
Building Layers of Defense with Spring Security
Joris Kuipers
 
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Access Control Pitfalls v2
Jim Manico
 
Web Security Attacks
Sajid Hasan
 
Ad

Similar to Ajax Security Dangers (20)

PPT
Ajax Ppt 1
JayaPrakash.m
 
PPTX
My Presentation On Ajax
Ghaffar Khan
 
PDF
Ajax white paper
Kugan Karthikeyan
 
PDF
Sencha Web Applications Come of Age
bastila
 
PDF
Effectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Microsoft Mobile Developer
 
ODP
Ajax Basics And Framework
shivas
 
PPTX
Ajax
Anaghabalakrishnan
 
PPTX
Ajax ppt
Gnaneshwar Kandikonda
 
PDF
A model for performance testing of ajax based web applications
eSAT Publishing House
 
PDF
Ajax & Reverse Ajax Presenation
Rishabh Garg
 
PPT
SynapseIndia asp.net2.0 ajax Development
Synapseindiappsdevelopment
 
PPT
Lessons from the Trenches: Engineering Great AJAX Experiences
goodfriday
 
PPT
Lessons
guest1019f4
 
PDF
Mobile Ajax Workshop
Bryan Rieger
 
PDF
Sunserver Open Solaris
pankaj009
 
PPTX
New microsoft office power point presentation
teach4uin
 
PPTX
Give your web apps some backbone
RTigger
 
PPT
Advantages and disadvantages of an ajax based client application
Placinta Alin
 
PDF
Ajax
Taroub Issa
 
PPTX
Ajax
Tech_MX
 
Ajax Ppt 1
JayaPrakash.m
 
My Presentation On Ajax
Ghaffar Khan
 
Ajax white paper
Kugan Karthikeyan
 
Sencha Web Applications Come of Age
bastila
 
Effectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Microsoft Mobile Developer
 
Ajax Basics And Framework
shivas
 
Ajax
Anaghabalakrishnan
 
Ajax ppt
Gnaneshwar Kandikonda
 
A model for performance testing of ajax based web applications
eSAT Publishing House
 
Ajax & Reverse Ajax Presenation
Rishabh Garg
 
SynapseIndia asp.net2.0 ajax Development
Synapseindiappsdevelopment
 
Lessons from the Trenches: Engineering Great AJAX Experiences
goodfriday
 
Lessons
guest1019f4
 
Mobile Ajax Workshop
Bryan Rieger
 
Sunserver Open Solaris
pankaj009
 
New microsoft office power point presentation
teach4uin
 
Give your web apps some backbone
RTigger
 
Advantages and disadvantages of an ajax based client application
Placinta Alin
 
Ajax
Taroub Issa
 
Ajax
Tech_MX
 
Ad

More from drkimsky (6)

PDF
Spi dynamik-sql-inj
drkimsky
 
PDF
Ajax Security
drkimsky
 
PDF
Vbaac
drkimsky
 
PDF
Jboss Exploit
drkimsky
 
PDF
Detecting Malice
drkimsky
 
PDF
Comm Web Virtual Payment Client
drkimsky
 
Spi dynamik-sql-inj
drkimsky
 
Ajax Security
drkimsky
 
Vbaac
drkimsky
 
Jboss Exploit
drkimsky
 
Detecting Malice
drkimsky
 
Comm Web Virtual Payment Client
drkimsky
 

Ajax Security Dangers

  • 2. Table of contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Problems with traditional web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Ajax web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Security issues for Ajax web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Increased attack surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Information leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Repudiation of requests and cross-site scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Ajax bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Hype about Ajax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
  • 3. Introduction Ajax web applications With the growth of Web 2.0 and the movement towards Ajax is an acronym for Asynchronous JavaScript and a more interactive and responsive web, many applica- extensible markup language (XML). It is not a program- tions now employ Ajax, a collection of technologies that ming language or technology but a grouping of other has received a large amount of publicity and is being technologies that improves web application performance. quickly adopted by developers and corporations. While In Ajax web applications, the response time between Ajax can greatly improve the usability of a web applica- the client request and the server response is reduced.1 tion by improving its responsiveness and flexibility, it can This reduction is accomplished by exchanging small also create several attack opportunities if the application amounts of data between the user’s browser and has not been designed with security in mind. This white the server without refreshing the web page with paper describes the difference between traditional and each response. This design can drastically improve Ajax web applications, the benefits of the Ajax method- response time. ology, its security concerns and recommendations for securing web application development. In Ajax applications, JavaScript plays a larger role than in traditional web applications. At the beginning of Problems with traditional a session, the browser loads an Ajax engine, usually written in JavaScript, along with a web page. The engine then displays the web page that the user sees and web applications communicates the user’s requests back to the server. The presence of the Ajax engine lets the user interact with In traditional web applications, the browser typically the application without constantly refreshing the page.2 refreshes the entire web page when it receives a response from the server. This design often results in The Ajax engine sends Hypertext Transfer Protocol long pauses from when the client sends a request to (HTTP) requests to the server asynchronously. Therefore, the Internet to when the server returns a response, the application continues to respond to user events negatively affecting performance. and interaction while the server processes the request. When the client receives the response, the engine manipulates the document object model (DOM) to present the results to the user. Figure 1 shows the Ajax web application model. 1 The actual time between the client request and the server response only appears to be reduced. Ajax does not affect the server-side processing time. Its benefit is that Ajax provides the appearance of a more responsive website. 2 For more information about Ajax, see the essay, Ajax: A New Approach to Web Applications, from adaptive path. 3
  • 4. Figure 1: Ajax web application model Ajax web application Server JavaScript logic layer Server Back-end Internet logic processes An Ajax web application, however, sends many small Security issues for Ajax requests, which create more inputs into the application. These inputs, sometimes called Ajax endpoints, provide web applications more ways for attackers to get into the application. Using the house analogy, the two stories now have While Ajax can greatly improve the usability of a web windows in addition to the front and back doors. The application, it can also create several opportunities for doors can be locked, but attackers now have many possible attacks if the application is not designed with windows that they can break into and enter. The doors security in mind. As Ajax web applications exist on are no longer of consequence. both clients and servers, they include the following security issues: Information leakage • Creating a larger attack surface with more inputs The JavaScript in the Ajax engine traps the user to secure commands and sends function calls to the server. The • Exposing internal functions of the web application following are examples of user commands: server • Return the price for product ID 24. • Allowing a client-side script to access third-party resources with no built-in security mechanisms • Return valid cities for a given state. • Return the last valid address for user ID 78. This section describes these security concerns in more detail. • Update a user’s age in a database. Function calls provide “how to” information for each Increased attack surface user command. This information places an attacker Unlike traditional web applications, which exist almost inside the application. From this vantage point, the entirely on the server, Ajax applications extend across attacker possesses function names, variable names, the client and server. Such implementations require function parameters, return types, data types and a trust relationship between the client and server— valid data ranges. a relationship that attackers can exploit. Figure 2 shows an attacker virtually inside an Ajax You can compare a traditional web application to web application. a two-story house with no windows and only two ways to get in: a front door and a back door. Attackers have only two ways to break into the house. 4
  • 5. Figure 2: An attacker is virtually in an Ajax application. Ajax web application Server JavaScript logic layer Server Back-end Internet logic processes Repudiation of requests and cross-site Injecting and propagating XSS With traditional web applications, attackers manually scripting (XSS) inject and propagate XSS. Attackers can typically inject Browser requests and Ajax engine requests look identical. only one part of a website with reflection-based XSS, The server cannot discern a request made by JavaScript such as including scripts in an e-mail link, or stored and a request made in response to a user action. XSS, such as saving the script as an entry in a back- Therefore, it is difficult for users to prove that they did end database. not perform certain actions. With Ajax applications, XSS can propagate like a virus. Using Ajax, JavaScript can also send a request for The XSS payload can use Ajax requests to automatically resources in the background without users knowing. inject itself into pages and reinject the same host with The browser automatically adds the necessary authen- more XSS. This can occur with no hard refresh. Thus, tication or state-keeping information, such as cookies, XSS can send multiple requests using complex HTTP to the request. JavaScript code can access the response methods to propagate itself invisibly to the user. Several to the hidden request and send additional requests. examples have already surfaced. This expansion of JavaScript functionality increases the In October 2005, a member of MySpace.com created possible damage of a cross-site scripting (XSS) attack. a profile that included a self-propagating worm, known XSS is the injection of script, such as JavaScript or as the Samy worm, making it the first public use of XSS VBScript, into the page that a user’s browser receives. and Ajax. When a user viewed the profile, the worm The script is then executed from the browser, exposing code automatically added the viewer to Samy's “friends” the user to a variety of threats, such as cookie theft list. The worm code was also copied into the victim's (session hijacking and information leakage), keystroke profile, so that when another user viewed the victim's logging, screen scraping and denial of service attacks. profile, the infection spread. Ajax amplifies XSS In June 2006, the Yamanner worm infected Yahoo's With Ajax, XSS can make malicious requests with popular web mail service. The worm, using XSS and a user’s credentials without refreshing the web page. Ajax, took advantage of a vulnerability in Yahoo mail's Such activity can increase the potential for damage onload event handling. When a user opened an and theft of information. With traditional web applica- infected e-mail, the worm code executed its JavaScript tions, most information thefts occur with passive screen and sent a copy of itself to the infected user’s Yahoo scraping. The malicious script can secretly read the contacts. The infected e-mail carried a spoofed 'From' contents of the HTML only from the page that the user address that was randomly added from the infected is currently viewing. This content can then be sent to the system, making the malicious e-mail appear that it attacker. Using Ajax, an XSS attack can send requests came from a known source. for pages other than the page that the user is currently It took only eight months for XSS and Ajax worms to viewing. This lets the attacker actively “hunt” for certain develop from proofs of concept to full-fledged, malicious content and potentially access resources and data not attacks. Attackers are aware of this vulnerability. available through passive scraping. 5
  • 6. Ajax bridging In this example, an attacker can do several things. To copy the entire author database from majorbook- For security purposes, Ajax applications can only connect store.com, the attacker can issue thousands of queries to the websites from which they come. For example, to the Ajax bridge running on securitybooks.com. JavaScript with Ajax downloaded from Yahoo cannot The relationship between the two websites allows connect to Google. To contact third-party sites, the Ajax the attacker to extract more data by going through service bridge was created. In a bridge, a host provides securitybooks.com than by using a free account from a web service that acts as a proxy to forward traffic majorbookstore.com. securitybooks.com can cache the between the JavaScript running on the client and the results it receives from majorbookstore.com to limit the third-party site. A bridge provides a “web service to number of queries it has to make, reduce bandwidth web service” connection. Many web frameworks, such and improve performance. As the attacker’s query may as Microsoft® ASP.NET AJAX, support Ajax bridging. be in the cache already, the attacker may be able to Custom solutions using PHP or common gateway extract data faster by using securitybooks.com. interface (CGI) programs can also provide bridging. An attacker can also send malicious requests through An Ajax bridge can connect to any web service on any the Ajax bridge from securitybooks.com to majorbook- host, using protocols such as Simple Object Access store.com. The bridge is another layer for the attacker Protocol (SOAP) and representational state transfer to hide behind. Normal business transactions can also (REST). Bridges can also connect to a custom web be hampered if an intrusion prevention system (IPS) service and arbitrary web resources, such as rich site at majorbookstore.com detects the malicious requests summary (RSS) feeds, HTML, Flash and binary content. coming from the securitybooks.com IP address and Security issues with bridges then automatically blocks all requests from security- Ajax bridges introduce several major security issues. books.com. An attacker may try to launch a structured For example, an Ajax-enabled, online book store called query language (SQL)SQL injection or an XSS attack securitybooks.com wants to access some of the web against majorbookstore.com but instead cause a denial services that majorbookstore.com provides, such as an of service attack against all securitybooks.com users. author search or genre recommendation service. To do The majorbookstore.com may not detect the attack being this, securitybooks.com sends JavaScript code over an relayed through the Ajax bridge. This may happen if Ajax bridge to majorbookstore.com. Although anyone majorbookstore.com does not review the requests it can get a free account to access majorbookstore.com’s receives from securitybooks.com for malicious content web services, the free accounts have limited privileges: as closely as the requests from other sites. The two The number of unique queries, simultaneous queries and parties have a partnership, and significant traffic hits per second is set low. A formal partnership agreement comes to marjorbooks.com from securitybooks.com. between the two companies allows securitybooks.com In this case, majorbooks.com web services are vulner- to access majorbookstore.com with fewer restrictions. able only if the attacks use securitybooks.com as an intermediary. 6
  • 7. Hype about Ajax Recommendations Ajax and its effects on the Internet have received much publicity recently. Companies with complex web If you are considering converting a business application applications, such as MySpace.com, del.icio.us, and into a web application, ask the following questions: Writely.com, have been purchased for millions of • Should the application be a web application? dollars. Many conferences about Ajax and Web 2.0 • What do you gain by the conversion? applications have occurred all over the world. The hype about Ajax, however, has its own security ramifications. • Should the web application be an Ajax web application? First, the hype is driving programmers into the web application field. These novices often use “cut-and- If you decide to develop a web application, whether paste” application development to add functionality to traditional or Ajax, follow these recommendations: their projects without fully understanding the potential • Document the inputs that are allowed in your consequences. Most of these programmers are unfa- application. miliar with the security nuances of developing web • Validate all input before processing it. applications. This influx of programmers decreases the • Use white listing rather than black listing for validation. knowledge of those in the field. In turn, more technical White listing means you accept what you know is articles, computer books and online forums are targeted good data, while black listing uses a list of data that at novices. Ultimately, a small number of experts can is not allowed. For example, you know that a ZIP provide authoritative answers to an expanding audience. code should always have five numbers. White listing Second, the demand for these sophisticated web applica- the ZIP code input means only accepting five numbers, tions is causing some companies to embrace client-side nothing else. web applications. Often companies want to appear state • Always use the Secure Socket Layer (SSL) protocol to of the art, fend off start-up competitors or provide new transmit sensitive data, such as log-in credentials or front-end capabilities that their users will enjoy. Many bank account numbers. of these companies do not consider whether their applications should be web applications, let alone Ajax If you decide to retrofit your current web application or web applications. design a new one with Ajax, you should reduce the exposed program logic. 7
  • 8. To learn more, visit www.hp.com/go/software © Copyright 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. 4AA1-5388ENW, October 2007