AJAX Security Issues by lpb15762


									AJAX Security Issues

     Kim Giglia
     CSC 682
Asynchronous JavaScript And
        XML (AJAX)
Not a new technology – a synergy of existing technologies
•DOM (Document Object Model)
•XHR (XMLHttpRequest) Object
Traditional Web Application
AJAX Web Application
 Security Issues – General
•Ajax applications are more complex
   •Hard to find knowledgeable developers
   •More LOC and varied parts
•Ajax applications are transparent
   •Messages between the client/server intercepted and
   understood (HTTP)
   •Application is accessible to anyone
   •Some application logic stored on client
   Specific Security Issues
•XML poisoning
•Malicious Ajax Code Injection
•RSS/Atom Injection
•WSDL scanning and enumeration
•Client Side validation routines
•Web Services Routing Issues
   Specific Security Issues
•Parameter manipulation with SOAP
•XPATH injection
•RIA client binary manipulation
•XSS Prototype Hijacking
•HTTP Request Splitting
•Mashup site security problems
•Aggregate or Ajax portal site problems
•Race Conditions
     Why do issues arise?
•Tight deadlines
•Limited opportunity for training
•Predeveloped frameworks
 Specific Attacks Illustrated
Malicious Ajax Code Injection – Theoretical Attack
•Hacker in a place with wireless connection
•Travel Agency site – HighTechVacations.net
•Agency has coupon array and crypto functions on client-
side – oops!
•Agency doesn’t validate all client-side input for queries and
uses client-side data transformation– oops!
•Agency stores both user and admin functions in a
common.js file including – AjaxCalls.admin.addUser –
 Specific Attacks Illustrated
XSS and CSRF – Theoretical Attack
•Hacker in a place with wireless find bank.com with an XSS
•Hacker crafts a URL pointing to real bank.com site, but
contains a JavaScript payload in the query string
•Hacker e-mails link to bank.com customers and asks them
to come check out new website
•User follows link and logs in – Hacker now has id and
•JavaScript load now uses XHR object to request account
 Specific Attacks Illustrated
XSS and CSRF – Theoretical Attack
•After account balance extracted XHR object is used to
request transfer of funds
•Bank requires confirmation of transfer – XHR object
extracts out randomized token (nonce) and returns a
confirmation – funds transfer
•Remember user never sees any activity as DOM is not
•This type of CSRF not possible before Ajax, because
attacker could not extract response from XHR object – only
blind attacks were possible
 Specific Attacks Illustrated
XSS and CSRF – Real Attack
Samy worm on myspace.com
•Inserted JavaScript into his profile
•Worm re-directs browser to view from www.myspace.com
instead of profile.myspace.com
•Uses XHR obj to retrieve and modify friendslist and user
•Site asks for confirmation of profile update – XHR object
used to extract token and confirm
    Specific Attacks Illustrated
XSS Prototype Hijacking
•Wrapper function for XHR object
var xmlhttp = XMLHttpRequest;
XMLHttpRequest = function( ) { this.xml = new xmlhttp();
return this; }
•Now attacker has access to control the xml attribute
•Attacker sets up sniff() function which will be used to send the
victim’s data to attacker’s site
•Finally attacker wraps XHR send() function to include the
sniff() function and maybe even tamper with parameters sent
to real site
 Specific Attacks Illustrated
Aggregate Sites
  Specific Attacks Illustrated
Aggregate Sites
•Data aggregated from multiple untrustworthy sites

•Everything running in same security domain

   •IFrame jails can be used, but those can still be
   compromised by adding a new iframe inside one jail to
   point to another iframe outside of the jail.

•NetVibes.com specifically allows widgets to make POSTs
to /save/userData.php – so unless you extend iframe jails
to server – no protection

•Session hijacking if iframe jails can access session ID
  Specific Attacks Illustrated
Aggregate Sites

            Unencrypted               Encrypted

                          Aggregate.com           Gmail.com


•Aggregates are transmitting your data over unencrypted
Not an attack – still a problem
Race conditions
•Alice banks has direct deposit and banks online
•Alice transfers $2k from savings to checking online
•Simultaneously her direct deposit of $10k is occurring
•Before transfer and direct deposit her checking acct bal
was $2k
•After both execute her checking acct bal is $4k –
•A race condition has occurred and only the $2k transfer
updated – the web app developers failed to account for
race conditions with other processes
 Solutions to Security Issues
General recommendations
•Developer training and secure coding practices
•Specifically validate all data input
•Get a corporate management buy-in to foster a secure
development environment
Solutions to Security Issues
Specific solutions
•Code migration framework to Ajax
   •Develop in Java –
      •Access to strong IDE
      •Developers more familiar than JavaScript
      •Use static/dynamic analysis to catch vulnerabilities
   •Use XMLVM and XSL style sheet mappings to
   automatically convert to JavaScript
•Prototype program was developed to test feasibility
•This approach cannot support multi-threaded apps
Solutions to Security Issues
Specific solutions
•Automatic Partitioning
   •Code in Jif 3.0
         •Developer focused on one language
    •Jif code compiled into WebIL
         •Separates code into 2 programs – client and server
         according to security constraints
    •Compile both programs into Java
    •Use GWT to transform client-side into JavaScript
•Six small prototype apps tested – no real world apps
•Labels require getting used to
Solutions to Security Issues
Specific solutions
•Construction frameworks to protect against injection
   •Extension of same origin policy
   •Identify every UI widget as a principal
   •Sandbox the principal w.r. to JavaScript
   •Modify browser to collect list of principals as it walks
   DOM tree
   •Modify development framework to attach principal
   annotations when HTML generated
•Problems handling UI’s dependent upon other UI’s
•No testing submitted by authors
Solutions to Security Issues
Specific solutions
   •Re-write web pages to filter for malicious content
      •Tokenizes HTML-modifies per sec policies
      •Tags script elements w/ bshield.translate()
      •Re-writes all JavaScript at runtime per policies and
      feeds through Interposition Layer
      •Interposition Layer controls all DOM manipulations
Solutions to Security Issues
Specific solutions
Solutions to Security Issues
Specific solutions
   •Authors built a prototype and tested against all critical
   vulnerabilities for which IE released patches in 2005
   •12 vulnerabilities related to HTML, script, and ActiveX –
   100% caught by BrowserShield
•Developing secure Ajax applications is a work in
•Continued developer education and awareness is
•Some changes in corporate culture may have to
•If Ajax applications are developed willy-nilly and people
are attacked – they may decide to stop using the web –
this could stifle certain industries
•Above all – developers should scrub data inputs

To top