« Adobe Labs released JSEclipse | Main | jQuery 1.1 alpha Released »

AJAX IS Harmful IF ...

Slashdotted today a paper called Subverting AJAX [PDF] by Stefano Di Paola and Giorgio Fedon presented at the 23rd Chaos Communication Congress. The document talk about next generation vulnerabilities in 2.0 Web Applications, innovative attack scenarios, Prototype Hijacking, UXSS, and other terms that might scare you at first glance. While I thought it was talking about something new, it's just XSS techniques applied to AJAX applications.

ajax-hijacking.png

To make things clear AJAX applications have two parts :

  1. Server side

  2. Client side

Now what the paper is talking about is the client side : playing with DOM, Hijacking JavaScript by inserting malicious code ... but when could this happen ? If a website is vulnerable to XSS ! And to protect your website/application from XSS simply never trust any external data, it's the general rule which is valid for all application development. And when an application is vulnerable to XSS, I don't think we need to give it a new name, because techniques of exploiting XSS bugs are countless.

So we talked about the client side which is vulnerable, but not harmful ! Back to the server-side of the AJAX applications, now if we don't trust any external data, apply correct validations and correct application design, our application will be certainly vulnerable and in this case it could be harmful.

Conclusion

If your application is vulnerable to XSS, it is harmful - AJAX is just the tool which have been always used nothing really new. The only problem I see here is that many developers don't really care about XSS bugs and don't find it harmful, so this will depend on your application and need to do further investigations before making conclusions.

Posted by Hatem on January 7, 2007 10:53 AM to AJAX Security |

Bookmark this article at these sites
Comments
1

Well, this is not really something new - because there are a lot of toolbars and plugins that maliciously rewrite pages, store and share session cookies and so on.

I guess the most important issue is that a hijacked JS library can initiate a malitious request for a website without the user knowing, but this is a security hole open to any website since XMLHTTPRequest has been introduced, as the XMLHTTPRequest object allows to emulate any page load.

Site icon Posted by Sorin | January 7, 2007 3:16 PM | Reply

2

I've found tons of sites that don't protect against XSS, even some really big sites. Developers really need to pay more attention.

Site icon Posted by mark | January 8, 2007 3:28 AM | Reply

3

Agree'd developers just don't realize.

Site icon Posted by Jim | May 15, 2007 3:56 AM | Reply

4

AJAX, if used without protection, would be a very good weapon for hackers. Some of my websites got hacked because of not protecting AJAX. So, I advise every webmaster to BE AWARE!

Site icon Posted by butlimous | June 24, 2007 3:15 AM | Reply

5

AJAX, if used without protection, would be a strong weapon for hackers. So, I advise every webmaster to be aware of this!

Site icon Posted by butlimous | June 24, 2007 3:19 AM | Reply

6

I agree if you are using ajax you need to protect yourself from xss attacks, don't wait until you get hacked to make the changes.

Site icon Posted by Bolo | July 21, 2009 5:33 PM | Reply

Post a comment





(Email will remain hidden)





Please enter the security code you see here




Related entries
Email to a friend
Email this article to:


Your email address:


Message (optional):