SlideShare ist ein Scribd-Unternehmen logo

Ajax Security Dangers

D
drkimsky
1 von 8
Downloaden Sie, um offline zu lesen
Ajax security dangers White paper
Table of contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Problems with traditional web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Ajax web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Security issues for Ajax web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Increased attack surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Information leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Repudiation of requests and cross-site scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Ajax bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Hype about Ajax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Introduction Ajax web applications With the growth of Web 2.0 and the movement towards Ajax is an acronym for Asynchronous JavaScript and a more interactive and responsive web, many applica- extensible markup language (XML). It is not a program- tions now employ Ajax, a collection of technologies that ming language or technology but a grouping of other has received a large amount of publicity and is being technologies that improves web application performance. quickly adopted by developers and corporations. While In Ajax web applications, the response time between Ajax can greatly improve the usability of a web applica- the client request and the server response is reduced.1 tion by improving its responsiveness and flexibility, it can This reduction is accomplished by exchanging small also create several attack opportunities if the application amounts of data between the user’s browser and has not been designed with security in mind. This white the server without refreshing the web page with paper describes the difference between traditional and each response. This design can drastically improve Ajax web applications, the benefits of the Ajax method- response time. ology, its security concerns and recommendations for securing web application development. In Ajax applications, JavaScript plays a larger role than in traditional web applications. At the beginning of Problems with traditional a session, the browser loads an Ajax engine, usually written in JavaScript, along with a web page. The engine then displays the web page that the user sees and web applications communicates the user’s requests back to the server. The presence of the Ajax engine lets the user interact with In traditional web applications, the browser typically the application without constantly refreshing the page.2 refreshes the entire web page when it receives a response from the server. This design often results in The Ajax engine sends Hypertext Transfer Protocol long pauses from when the client sends a request to (HTTP) requests to the server asynchronously. Therefore, the Internet to when the server returns a response, the application continues to respond to user events negatively affecting performance. and interaction while the server processes the request. When the client receives the response, the engine manipulates the document object model (DOM) to present the results to the user. Figure 1 shows the Ajax web application model. 1 The actual time between the client request and the server response only appears to be reduced. Ajax does not affect the server-side processing time. Its benefit is that Ajax provides the appearance of a more responsive website. 2 For more information about Ajax, see the essay, Ajax: A New Approach to Web Applications, from adaptive path. 3
Figure 1: Ajax web application model Ajax web application Server JavaScript logic layer Server Back-end Internet logic processes An Ajax web application, however, sends many small Security issues for Ajax requests, which create more inputs into the application. These inputs, sometimes called Ajax endpoints, provide web applications more ways for attackers to get into the application. Using the house analogy, the two stories now have While Ajax can greatly improve the usability of a web windows in addition to the front and back doors. The application, it can also create several opportunities for doors can be locked, but attackers now have many possible attacks if the application is not designed with windows that they can break into and enter. The doors security in mind. As Ajax web applications exist on are no longer of consequence. both clients and servers, they include the following security issues: Information leakage • Creating a larger attack surface with more inputs The JavaScript in the Ajax engine traps the user to secure commands and sends function calls to the server. The • Exposing internal functions of the web application following are examples of user commands: server • Return the price for product ID 24. • Allowing a client-side script to access third-party resources with no built-in security mechanisms • Return valid cities for a given state. • Return the last valid address for user ID 78. This section describes these security concerns in more detail. • Update a user’s age in a database. Function calls provide “how to” information for each Increased attack surface user command. This information places an attacker Unlike traditional web applications, which exist almost inside the application. From this vantage point, the entirely on the server, Ajax applications extend across attacker possesses function names, variable names, the client and server. Such implementations require function parameters, return types, data types and a trust relationship between the client and server— valid data ranges. a relationship that attackers can exploit. Figure 2 shows an attacker virtually inside an Ajax You can compare a traditional web application to web application. a two-story house with no windows and only two ways to get in: a front door and a back door. Attackers have only two ways to break into the house. 4
Figure 2: An attacker is virtually in an Ajax application. Ajax web application Server JavaScript logic layer Server Back-end Internet logic processes Repudiation of requests and cross-site Injecting and propagating XSS With traditional web applications, attackers manually scripting (XSS) inject and propagate XSS. Attackers can typically inject Browser requests and Ajax engine requests look identical. only one part of a website with reflection-based XSS, The server cannot discern a request made by JavaScript such as including scripts in an e-mail link, or stored and a request made in response to a user action. XSS, such as saving the script as an entry in a back- Therefore, it is difficult for users to prove that they did end database. not perform certain actions. With Ajax applications, XSS can propagate like a virus. Using Ajax, JavaScript can also send a request for The XSS payload can use Ajax requests to automatically resources in the background without users knowing. inject itself into pages and reinject the same host with The browser automatically adds the necessary authen- more XSS. This can occur with no hard refresh. Thus, tication or state-keeping information, such as cookies, XSS can send multiple requests using complex HTTP to the request. JavaScript code can access the response methods to propagate itself invisibly to the user. Several to the hidden request and send additional requests. examples have already surfaced. This expansion of JavaScript functionality increases the In October 2005, a member of MySpace.com created possible damage of a cross-site scripting (XSS) attack. a profile that included a self-propagating worm, known XSS is the injection of script, such as JavaScript or as the Samy worm, making it the first public use of XSS VBScript, into the page that a user’s browser receives. and Ajax. When a user viewed the profile, the worm The script is then executed from the browser, exposing code automatically added the viewer to Samy's “friends” the user to a variety of threats, such as cookie theft list. The worm code was also copied into the victim's (session hijacking and information leakage), keystroke profile, so that when another user viewed the victim's logging, screen scraping and denial of service attacks. profile, the infection spread. Ajax amplifies XSS In June 2006, the Yamanner worm infected Yahoo's With Ajax, XSS can make malicious requests with popular web mail service. The worm, using XSS and a user’s credentials without refreshing the web page. Ajax, took advantage of a vulnerability in Yahoo mail's Such activity can increase the potential for damage onload event handling. When a user opened an and theft of information. With traditional web applica- infected e-mail, the worm code executed its JavaScript tions, most information thefts occur with passive screen and sent a copy of itself to the infected user’s Yahoo scraping. The malicious script can secretly read the contacts. The infected e-mail carried a spoofed 'From' contents of the HTML only from the page that the user address that was randomly added from the infected is currently viewing. This content can then be sent to the system, making the malicious e-mail appear that it attacker. Using Ajax, an XSS attack can send requests came from a known source. for pages other than the page that the user is currently It took only eight months for XSS and Ajax worms to viewing. This lets the attacker actively “hunt” for certain develop from proofs of concept to full-fledged, malicious content and potentially access resources and data not attacks. Attackers are aware of this vulnerability. available through passive scraping. 5
Ajax bridging In this example, an attacker can do several things. To copy the entire author database from majorbook- For security purposes, Ajax applications can only connect store.com, the attacker can issue thousands of queries to the websites from which they come. For example, to the Ajax bridge running on securitybooks.com. JavaScript with Ajax downloaded from Yahoo cannot The relationship between the two websites allows connect to Google. To contact third-party sites, the Ajax the attacker to extract more data by going through service bridge was created. In a bridge, a host provides securitybooks.com than by using a free account from a web service that acts as a proxy to forward traffic majorbookstore.com. securitybooks.com can cache the between the JavaScript running on the client and the results it receives from majorbookstore.com to limit the third-party site. A bridge provides a “web service to number of queries it has to make, reduce bandwidth web service” connection. Many web frameworks, such and improve performance. As the attacker’s query may as Microsoft® ASP.NET AJAX, support Ajax bridging. be in the cache already, the attacker may be able to Custom solutions using PHP or common gateway extract data faster by using securitybooks.com. interface (CGI) programs can also provide bridging. An attacker can also send malicious requests through An Ajax bridge can connect to any web service on any the Ajax bridge from securitybooks.com to majorbook- host, using protocols such as Simple Object Access store.com. The bridge is another layer for the attacker Protocol (SOAP) and representational state transfer to hide behind. Normal business transactions can also (REST). Bridges can also connect to a custom web be hampered if an intrusion prevention system (IPS) service and arbitrary web resources, such as rich site at majorbookstore.com detects the malicious requests summary (RSS) feeds, HTML, Flash and binary content. coming from the securitybooks.com IP address and Security issues with bridges then automatically blocks all requests from security- Ajax bridges introduce several major security issues. books.com. An attacker may try to launch a structured For example, an Ajax-enabled, online book store called query language (SQL)SQL injection or an XSS attack securitybooks.com wants to access some of the web against majorbookstore.com but instead cause a denial services that majorbookstore.com provides, such as an of service attack against all securitybooks.com users. author search or genre recommendation service. To do The majorbookstore.com may not detect the attack being this, securitybooks.com sends JavaScript code over an relayed through the Ajax bridge. This may happen if Ajax bridge to majorbookstore.com. Although anyone majorbookstore.com does not review the requests it can get a free account to access majorbookstore.com’s receives from securitybooks.com for malicious content web services, the free accounts have limited privileges: as closely as the requests from other sites. The two The number of unique queries, simultaneous queries and parties have a partnership, and significant traffic hits per second is set low. A formal partnership agreement comes to marjorbooks.com from securitybooks.com. between the two companies allows securitybooks.com In this case, majorbooks.com web services are vulner- to access majorbookstore.com with fewer restrictions. able only if the attacks use securitybooks.com as an intermediary. 6
Hype about Ajax Recommendations Ajax and its effects on the Internet have received much publicity recently. Companies with complex web If you are considering converting a business application applications, such as MySpace.com, del.icio.us, and into a web application, ask the following questions: Writely.com, have been purchased for millions of • Should the application be a web application? dollars. Many conferences about Ajax and Web 2.0 • What do you gain by the conversion? applications have occurred all over the world. The hype about Ajax, however, has its own security ramifications. • Should the web application be an Ajax web application? First, the hype is driving programmers into the web application field. These novices often use “cut-and- If you decide to develop a web application, whether paste” application development to add functionality to traditional or Ajax, follow these recommendations: their projects without fully understanding the potential • Document the inputs that are allowed in your consequences. Most of these programmers are unfa- application. miliar with the security nuances of developing web • Validate all input before processing it. applications. This influx of programmers decreases the • Use white listing rather than black listing for validation. knowledge of those in the field. In turn, more technical White listing means you accept what you know is articles, computer books and online forums are targeted good data, while black listing uses a list of data that at novices. Ultimately, a small number of experts can is not allowed. For example, you know that a ZIP provide authoritative answers to an expanding audience. code should always have five numbers. White listing Second, the demand for these sophisticated web applica- the ZIP code input means only accepting five numbers, tions is causing some companies to embrace client-side nothing else. web applications. Often companies want to appear state • Always use the Secure Socket Layer (SSL) protocol to of the art, fend off start-up competitors or provide new transmit sensitive data, such as log-in credentials or front-end capabilities that their users will enjoy. Many bank account numbers. of these companies do not consider whether their applications should be web applications, let alone Ajax If you decide to retrofit your current web application or web applications. design a new one with Ajax, you should reduce the exposed program logic. 7
To learn more, visit www.hp.com/go/software © Copyright 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. 4AA1-5388ENW, October 2007

Empfohlen

AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016Julia Logan a.k.a. IrishWonder
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityRoberto Suggi Liverani
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 

Empfohlen

AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016Julia Logan a.k.a. IrishWonder
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityRoberto Suggi Liverani
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404sRonan Dunne, CEH, SSCP
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Ajax Ppt 1
Ajax Ppt 1Ajax Ppt 1
Ajax Ppt 1JayaPrakash.m
 
My Presentation On Ajax
My Presentation On AjaxMy Presentation On Ajax
My Presentation On AjaxGhaffar Khan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 

Was ist angesagt? (20)

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring Security
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 

Ähnlich wie Ajax Security Dangers

My Presentation On Ajax
My Presentation On AjaxMy Presentation On Ajax
My Presentation On AjaxGhaffar Khan
 
Sencha Web Applications Come of Age
Sencha Web Applications Come of AgeSencha Web Applications Come of Age
Sencha Web Applications Come of Agebastila
 
Effectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Effectively using Nokia Web Tools 2.0 templates for Series 40 web appsEffectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Effectively using Nokia Web Tools 2.0 templates for Series 40 web appsMicrosoft Mobile Developer
 
Ajax Basics And Framework
Ajax Basics And FrameworkAjax Basics And Framework
Ajax Basics And Frameworkshivas
 
A model for performance testing of ajax based web applications
A model for performance testing of ajax based web applicationsA model for performance testing of ajax based web applications
A model for performance testing of ajax based web applicationseSAT Publishing House
 
Ajax & Reverse Ajax Presenation
Ajax & Reverse Ajax PresenationAjax & Reverse Ajax Presenation
Ajax & Reverse Ajax PresenationRishabh Garg
 
Lessons from the Trenches: Engineering Great AJAX Experiences
Lessons from the Trenches: Engineering Great AJAX ExperiencesLessons from the Trenches: Engineering Great AJAX Experiences
Lessons from the Trenches: Engineering Great AJAX Experiencesgoodfriday
 
Mobile Ajax Workshop
Mobile Ajax WorkshopMobile Ajax Workshop
Mobile Ajax WorkshopBryan Rieger
 
Sunserver Open Solaris
Sunserver Open SolarisSunserver Open Solaris
Sunserver Open Solarispankaj009
 
New microsoft office power point presentation
New microsoft office power point presentationNew microsoft office power point presentation
New microsoft office power point presentationteach4uin
 
Give your web apps some backbone
Give your web apps some backboneGive your web apps some backbone
Give your web apps some backboneRTigger
 
Advantages and disadvantages of an ajax based client application
Advantages and disadvantages of an ajax based client applicationAdvantages and disadvantages of an ajax based client application
Advantages and disadvantages of an ajax based client applicationPlacinta Alin
 

Ähnlich wie Ajax Security Dangers (20)

Ajax Ppt 1
Ajax Ppt 1Ajax Ppt 1
Ajax Ppt 1
 
My Presentation On Ajax
My Presentation On AjaxMy Presentation On Ajax
My Presentation On Ajax
 
Ajax white paper
Ajax white paperAjax white paper
Ajax white paper
 
Sencha Web Applications Come of Age
Sencha Web Applications Come of AgeSencha Web Applications Come of Age
Sencha Web Applications Come of Age
 
Effectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Effectively using Nokia Web Tools 2.0 templates for Series 40 web appsEffectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Effectively using Nokia Web Tools 2.0 templates for Series 40 web apps
 
Ajax Basics And Framework
Ajax Basics And FrameworkAjax Basics And Framework
Ajax Basics And Framework
 
Ajax
AjaxAjax
Ajax
 
Ajax ppt
Ajax pptAjax ppt
Ajax ppt
 
A model for performance testing of ajax based web applications
A model for performance testing of ajax based web applicationsA model for performance testing of ajax based web applications
A model for performance testing of ajax based web applications
 
Ajax & Reverse Ajax Presenation
Ajax & Reverse Ajax PresenationAjax & Reverse Ajax Presenation
Ajax & Reverse Ajax Presenation
 
SynapseIndia asp.net2.0 ajax Development
SynapseIndia asp.net2.0 ajax DevelopmentSynapseIndia asp.net2.0 ajax Development
SynapseIndia asp.net2.0 ajax Development
 
Lessons from the Trenches: Engineering Great AJAX Experiences
Lessons from the Trenches: Engineering Great AJAX ExperiencesLessons from the Trenches: Engineering Great AJAX Experiences
Lessons from the Trenches: Engineering Great AJAX Experiences
 
Lessons
LessonsLessons
Lessons
 
Mobile Ajax Workshop
Mobile Ajax WorkshopMobile Ajax Workshop
Mobile Ajax Workshop
 
Sunserver Open Solaris
Sunserver Open SolarisSunserver Open Solaris
Sunserver Open Solaris
 
New microsoft office power point presentation
New microsoft office power point presentationNew microsoft office power point presentation
New microsoft office power point presentation
 
Give your web apps some backbone
Give your web apps some backboneGive your web apps some backbone
Give your web apps some backbone
 
Advantages and disadvantages of an ajax based client application
Advantages and disadvantages of an ajax based client applicationAdvantages and disadvantages of an ajax based client application
Advantages and disadvantages of an ajax based client application
 
Ajax
AjaxAjax
Ajax
 
Ajax
AjaxAjax
Ajax
 

Mehr von drkimsky

Spi dynamik-sql-inj
Spi dynamik-sql-injSpi dynamik-sql-inj
Spi dynamik-sql-injdrkimsky
 
Ajax Security
Ajax SecurityAjax Security
Ajax Securitydrkimsky
 
Jboss Exploit
Jboss ExploitJboss Exploit
Jboss Exploitdrkimsky
 
Detecting Malice
Detecting MaliceDetecting Malice
Detecting Malicedrkimsky
 
Comm Web Virtual Payment Client
Comm Web Virtual Payment ClientComm Web Virtual Payment Client
Comm Web Virtual Payment Clientdrkimsky
 

Mehr von drkimsky (6)

Spi dynamik-sql-inj
Spi dynamik-sql-injSpi dynamik-sql-inj
Spi dynamik-sql-inj
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Vbaac
VbaacVbaac
Vbaac
 
Jboss Exploit
Jboss ExploitJboss Exploit
Jboss Exploit
 
Detecting Malice
Detecting MaliceDetecting Malice
Detecting Malice
 
Comm Web Virtual Payment Client
Comm Web Virtual Payment ClientComm Web Virtual Payment Client
Comm Web Virtual Payment Client
 

Ajax Security Dangers

  • 2. Table of contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Problems with traditional web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Ajax web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Security issues for Ajax web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Increased attack surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Information leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Repudiation of requests and cross-site scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Ajax bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Hype about Ajax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
  • 3. Introduction Ajax web applications With the growth of Web 2.0 and the movement towards Ajax is an acronym for Asynchronous JavaScript and a more interactive and responsive web, many applica- extensible markup language (XML). It is not a program- tions now employ Ajax, a collection of technologies that ming language or technology but a grouping of other has received a large amount of publicity and is being technologies that improves web application performance. quickly adopted by developers and corporations. While In Ajax web applications, the response time between Ajax can greatly improve the usability of a web applica- the client request and the server response is reduced.1 tion by improving its responsiveness and flexibility, it can This reduction is accomplished by exchanging small also create several attack opportunities if the application amounts of data between the user’s browser and has not been designed with security in mind. This white the server without refreshing the web page with paper describes the difference between traditional and each response. This design can drastically improve Ajax web applications, the benefits of the Ajax method- response time. ology, its security concerns and recommendations for securing web application development. In Ajax applications, JavaScript plays a larger role than in traditional web applications. At the beginning of Problems with traditional a session, the browser loads an Ajax engine, usually written in JavaScript, along with a web page. The engine then displays the web page that the user sees and web applications communicates the user’s requests back to the server. The presence of the Ajax engine lets the user interact with In traditional web applications, the browser typically the application without constantly refreshing the page.2 refreshes the entire web page when it receives a response from the server. This design often results in The Ajax engine sends Hypertext Transfer Protocol long pauses from when the client sends a request to (HTTP) requests to the server asynchronously. Therefore, the Internet to when the server returns a response, the application continues to respond to user events negatively affecting performance. and interaction while the server processes the request. When the client receives the response, the engine manipulates the document object model (DOM) to present the results to the user. Figure 1 shows the Ajax web application model. 1 The actual time between the client request and the server response only appears to be reduced. Ajax does not affect the server-side processing time. Its benefit is that Ajax provides the appearance of a more responsive website. 2 For more information about Ajax, see the essay, Ajax: A New Approach to Web Applications, from adaptive path. 3
  • 4. Figure 1: Ajax web application model Ajax web application Server JavaScript logic layer Server Back-end Internet logic processes An Ajax web application, however, sends many small Security issues for Ajax requests, which create more inputs into the application. These inputs, sometimes called Ajax endpoints, provide web applications more ways for attackers to get into the application. Using the house analogy, the two stories now have While Ajax can greatly improve the usability of a web windows in addition to the front and back doors. The application, it can also create several opportunities for doors can be locked, but attackers now have many possible attacks if the application is not designed with windows that they can break into and enter. The doors security in mind. As Ajax web applications exist on are no longer of consequence. both clients and servers, they include the following security issues: Information leakage • Creating a larger attack surface with more inputs The JavaScript in the Ajax engine traps the user to secure commands and sends function calls to the server. The • Exposing internal functions of the web application following are examples of user commands: server • Return the price for product ID 24. • Allowing a client-side script to access third-party resources with no built-in security mechanisms • Return valid cities for a given state. • Return the last valid address for user ID 78. This section describes these security concerns in more detail. • Update a user’s age in a database. Function calls provide “how to” information for each Increased attack surface user command. This information places an attacker Unlike traditional web applications, which exist almost inside the application. From this vantage point, the entirely on the server, Ajax applications extend across attacker possesses function names, variable names, the client and server. Such implementations require function parameters, return types, data types and a trust relationship between the client and server— valid data ranges. a relationship that attackers can exploit. Figure 2 shows an attacker virtually inside an Ajax You can compare a traditional web application to web application. a two-story house with no windows and only two ways to get in: a front door and a back door. Attackers have only two ways to break into the house. 4
  • 5. Figure 2: An attacker is virtually in an Ajax application. Ajax web application Server JavaScript logic layer Server Back-end Internet logic processes Repudiation of requests and cross-site Injecting and propagating XSS With traditional web applications, attackers manually scripting (XSS) inject and propagate XSS. Attackers can typically inject Browser requests and Ajax engine requests look identical. only one part of a website with reflection-based XSS, The server cannot discern a request made by JavaScript such as including scripts in an e-mail link, or stored and a request made in response to a user action. XSS, such as saving the script as an entry in a back- Therefore, it is difficult for users to prove that they did end database. not perform certain actions. With Ajax applications, XSS can propagate like a virus. Using Ajax, JavaScript can also send a request for The XSS payload can use Ajax requests to automatically resources in the background without users knowing. inject itself into pages and reinject the same host with The browser automatically adds the necessary authen- more XSS. This can occur with no hard refresh. Thus, tication or state-keeping information, such as cookies, XSS can send multiple requests using complex HTTP to the request. JavaScript code can access the response methods to propagate itself invisibly to the user. Several to the hidden request and send additional requests. examples have already surfaced. This expansion of JavaScript functionality increases the In October 2005, a member of MySpace.com created possible damage of a cross-site scripting (XSS) attack. a profile that included a self-propagating worm, known XSS is the injection of script, such as JavaScript or as the Samy worm, making it the first public use of XSS VBScript, into the page that a user’s browser receives. and Ajax. When a user viewed the profile, the worm The script is then executed from the browser, exposing code automatically added the viewer to Samy's “friends” the user to a variety of threats, such as cookie theft list. The worm code was also copied into the victim's (session hijacking and information leakage), keystroke profile, so that when another user viewed the victim's logging, screen scraping and denial of service attacks. profile, the infection spread. Ajax amplifies XSS In June 2006, the Yamanner worm infected Yahoo's With Ajax, XSS can make malicious requests with popular web mail service. The worm, using XSS and a user’s credentials without refreshing the web page. Ajax, took advantage of a vulnerability in Yahoo mail's Such activity can increase the potential for damage onload event handling. When a user opened an and theft of information. With traditional web applica- infected e-mail, the worm code executed its JavaScript tions, most information thefts occur with passive screen and sent a copy of itself to the infected user’s Yahoo scraping. The malicious script can secretly read the contacts. The infected e-mail carried a spoofed 'From' contents of the HTML only from the page that the user address that was randomly added from the infected is currently viewing. This content can then be sent to the system, making the malicious e-mail appear that it attacker. Using Ajax, an XSS attack can send requests came from a known source. for pages other than the page that the user is currently It took only eight months for XSS and Ajax worms to viewing. This lets the attacker actively “hunt” for certain develop from proofs of concept to full-fledged, malicious content and potentially access resources and data not attacks. Attackers are aware of this vulnerability. available through passive scraping. 5
  • 6. Ajax bridging In this example, an attacker can do several things. To copy the entire author database from majorbook- For security purposes, Ajax applications can only connect store.com, the attacker can issue thousands of queries to the websites from which they come. For example, to the Ajax bridge running on securitybooks.com. JavaScript with Ajax downloaded from Yahoo cannot The relationship between the two websites allows connect to Google. To contact third-party sites, the Ajax the attacker to extract more data by going through service bridge was created. In a bridge, a host provides securitybooks.com than by using a free account from a web service that acts as a proxy to forward traffic majorbookstore.com. securitybooks.com can cache the between the JavaScript running on the client and the results it receives from majorbookstore.com to limit the third-party site. A bridge provides a “web service to number of queries it has to make, reduce bandwidth web service” connection. Many web frameworks, such and improve performance. As the attacker’s query may as Microsoft® ASP.NET AJAX, support Ajax bridging. be in the cache already, the attacker may be able to Custom solutions using PHP or common gateway extract data faster by using securitybooks.com. interface (CGI) programs can also provide bridging. An attacker can also send malicious requests through An Ajax bridge can connect to any web service on any the Ajax bridge from securitybooks.com to majorbook- host, using protocols such as Simple Object Access store.com. The bridge is another layer for the attacker Protocol (SOAP) and representational state transfer to hide behind. Normal business transactions can also (REST). Bridges can also connect to a custom web be hampered if an intrusion prevention system (IPS) service and arbitrary web resources, such as rich site at majorbookstore.com detects the malicious requests summary (RSS) feeds, HTML, Flash and binary content. coming from the securitybooks.com IP address and Security issues with bridges then automatically blocks all requests from security- Ajax bridges introduce several major security issues. books.com. An attacker may try to launch a structured For example, an Ajax-enabled, online book store called query language (SQL)SQL injection or an XSS attack securitybooks.com wants to access some of the web against majorbookstore.com but instead cause a denial services that majorbookstore.com provides, such as an of service attack against all securitybooks.com users. author search or genre recommendation service. To do The majorbookstore.com may not detect the attack being this, securitybooks.com sends JavaScript code over an relayed through the Ajax bridge. This may happen if Ajax bridge to majorbookstore.com. Although anyone majorbookstore.com does not review the requests it can get a free account to access majorbookstore.com’s receives from securitybooks.com for malicious content web services, the free accounts have limited privileges: as closely as the requests from other sites. The two The number of unique queries, simultaneous queries and parties have a partnership, and significant traffic hits per second is set low. A formal partnership agreement comes to marjorbooks.com from securitybooks.com. between the two companies allows securitybooks.com In this case, majorbooks.com web services are vulner- to access majorbookstore.com with fewer restrictions. able only if the attacks use securitybooks.com as an intermediary. 6
  • 7. Hype about Ajax Recommendations Ajax and its effects on the Internet have received much publicity recently. Companies with complex web If you are considering converting a business application applications, such as MySpace.com, del.icio.us, and into a web application, ask the following questions: Writely.com, have been purchased for millions of • Should the application be a web application? dollars. Many conferences about Ajax and Web 2.0 • What do you gain by the conversion? applications have occurred all over the world. The hype about Ajax, however, has its own security ramifications. • Should the web application be an Ajax web application? First, the hype is driving programmers into the web application field. These novices often use “cut-and- If you decide to develop a web application, whether paste” application development to add functionality to traditional or Ajax, follow these recommendations: their projects without fully understanding the potential • Document the inputs that are allowed in your consequences. Most of these programmers are unfa- application. miliar with the security nuances of developing web • Validate all input before processing it. applications. This influx of programmers decreases the • Use white listing rather than black listing for validation. knowledge of those in the field. In turn, more technical White listing means you accept what you know is articles, computer books and online forums are targeted good data, while black listing uses a list of data that at novices. Ultimately, a small number of experts can is not allowed. For example, you know that a ZIP provide authoritative answers to an expanding audience. code should always have five numbers. White listing Second, the demand for these sophisticated web applica- the ZIP code input means only accepting five numbers, tions is causing some companies to embrace client-side nothing else. web applications. Often companies want to appear state • Always use the Secure Socket Layer (SSL) protocol to of the art, fend off start-up competitors or provide new transmit sensitive data, such as log-in credentials or front-end capabilities that their users will enjoy. Many bank account numbers. of these companies do not consider whether their applications should be web applications, let alone Ajax If you decide to retrofit your current web application or web applications. design a new one with Ajax, you should reduce the exposed program logic. 7
  • 8. To learn more, visit www.hp.com/go/software © Copyright 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. 4AA1-5388ENW, October 2007