i Ajax injection attack – All things in moderation

Ajax injection attack

    1. Introduction & Explain

        1. Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a traditional (i.e., “pre-web”) application. Since AJAX is still a new technology, there are many security issues that have not yet been fully researched. Some of the security issues in AJAX include:
          • Increased attack surface with many more inputs to secure
          • Exposed internal functions of the application
          • Client access to third-party resources with no built-in security and encoding mechanisms
          • Failure to protect authentication information and sessions
          • Blurred line between client-side and server-side code, possibly resulting in security mistakes
        2. AJAX is not a technology; rather, it is a collection of technologies each providing robust foundations when designing and developing web applications:
          • XHTML or HTML and Cascading Style Sheets (CSS) providing the standards for representing content to the user.
          • Document Object Model (DOM) that provides the structure to allow for the dynamic representation of content and related interaction. The DOM exposes powerful ways for users to access and manipulate elements within any document.
          • XML and XSLT that provide the formats for data to be manipulated, transferred and exchanged between server and client.
          • XML HTTP Request: The main disadvantages of building web applications is that once a particular webpage is loaded within the user’s browser, the related server connection is cut off. Further browsing (even) within the page itself requires establishing another connection with the server and sending the whole page back even though the user might have simply wanted to expand a simple link. XML HTTP Request allows asynchronous data retrieval or ensuring that the page does not reload in its entirety each time the user requests the smallest of changes.
          • JavaScript (JS) is the scripting language that unifies these elements to operate effectively together and therefore takes a most significant role in web applications.
        3. AJAX Architecture
            1. Architecture

              ajax_architecture

              ajax_architecture

              2. Jquery AJAX  example using $.AJAX method

              POST:

              var  formData = "name=foo&age=20"//Name value Pair
                  or
              var formData = {name:"foo",age:"20"}; //Array
              
              
              $.ajax({

               

                  url : "AJAX_POST_URL",

               

                  type: "POST",

               

                  data : formData,

               

                  success: function(data, textStatus, jqXHR)

               

                  {

               

                      //data - response from server

               

                  },

               

                  error: function (jqXHR, textStatus, errorThrown)

               

                  {

               

                               // process error occur

               

                  }

               

              });To send, POST request you need to set type = “POST” in AJAX settings. formData: can be an array or name value pairs. success: callback function is called when the AJAX POST is successful error: callback function is called when the AJAX POST is failed GET:

              $.get( "ajax/test.html", function( data ) {

               

               

              $( ".result" ).html( data );

               

               

              alert( "Load was performed." );

               

               

              });

               

           

           

       

       

 

  • Attacks and Vulnerabilities

      1. XMLHttpRequest Vulnerabilities

        AJAX uses the XMLHttpRequest(XHR) object for all communication with a server-side application, frequently a web service. A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. In the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence, the login data is traversing the wire in clear text. Using secure HTTPS/SSL channels, which the modern day browsers support, is the easiest way to prevent such attacks from happening. XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks such as SQL Injection, Cross Site Scripting (XSS), etc.

     

  • Increased Attack Surface

    Unlike traditional web applications that execute completely on the server, AJAX applications extend across the client and server, which gives the client some power. This throws in additional ways to potentially inject malicious content.

  • Cross Site Scripting

    I’ll present in anonther post.

  • Client Side Injection Threats

      • XSS exploits can give access to sensitive client-side data, and can also modify client-side code.

     

  • DOM Injection is a type pf XSS injection which happens through the sub-objects, document location, document.URL, or document.referrer of the Document Object Model(DOM)
  • <SCRIPT>
    var pos=document.URL.indexOf("name=")+5;
    document.write(document.URL.substring(pos,document.URL.length));
    </SCRIPT>
    
    • JSON/XML/XSLT Injection – Injection of malicious code in the XML content
  • AJAX Bridging

    For security purposes, AJAX applications can only connect back to the Website from which they come. For example, JavaScript with AJAX downloaded from site1.com cannot make connections to site2.com. To allow AJAX to contact third-party sites in this manner, the AJAX service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site. A bridge could be considered a ‘Web service to Web service’ connection. An attacker could use this to access sites with restricted access.

  • Denial of Service

    Denial of Service is an old attack in which an attacker or vulnerable application forces the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. In fact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks such as using image tags nested within a JavaScript loop can do the trick more effectively. AJAX, being on the client-side, makes the attack easier.

    <IMG SRC="http://example.com/cgi-bin/ouch.cgi?a=b">
  • Browser Based Attacks
    […]

  • AJAX security cheat sheet

    1. Client Side (javascript)

      1. Use .innerText instead of .innerHtml
      2. Don’t use eval
      3. Cononicalize dta to consumer( read: encode before use)
      4. Don’t rely on client logic for security
      5. Don’t rely on client business logic
      6. Avoid writing serialization code
      7. Avoid building XML or JSON dynamicaly
      8. Never transmit secrets to the client
      9. Don’t perform encrytion in client side code
      10. Don’t perform security impacting login on cllient side
    2. Server side

      1. Project against JSON Hijacking for Older Browsers
        1. User CSRF projection
        2. Always return JSON with an Object on the outside
      2. Avoid writing serialization code. Remember ref vs. value types
      3. Services can be called by users directly
      4. Avoid building XML or JSON by hand, use the framewwork
      5. User JSON and XML schema for Webservices
  • References

    http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf

 

 

Leave a Reply