Javascript and AJAX Security
AJAX — Asynchronous JavaScript And XHTML — has become a major method to produce the Web 2.0 applications on which we’ve come to rely. Google Maps uses AJAX, for example. And, there are a number of plugins for WordPress BlogMasters that rely on AJAX methods for a clean and powerful interface. But are you secure? Max has found a number of ways to check out the answer to that question, and to learn what you need to know about AJAX security.
by Max Kiesler
Beneath the peppy front ends of many of todays Rich Internet Applications lies a dark flaw that if left unchecked can bring a site down to it’s knees. For the past few years many designers and developers have been adding AJAX and Javascript functionality to there websites. Many of these websites suffer from threats such as, cross site scripting (also known as XSS), cross-site request forgery (XSRF), and several other well know exploits.
Maybe you’re using one of the popular libraries such as, Prototype and Script.aculo.us, or Dojo and think You’re safe. Think again. Unless you’ve implemented security fixes you may be vulnerable to several types of attacks. The same goes for blog plugins, popular open source applications, and of-course the plethora of free Javascript and AJAX add-ons available at free script websites. If you want to protect yourself, please read on.
Below you’ll find a list of the sites I’ve visited to learn more about Javascript and AJAX security. Please let me know through email or a comment if you know of any other great security resources, and I’ll be glad to post them. Most of the descriptions below are taken from the developers of the example. Thanks, Max.
AJAX Security Articles
One of the central ingredients of Web 2.0 applications is Ajax… This phase of evolution has transformed the Web into a superplatform. Not surprisingly, this transformation has also given rise to a new breed of worms and viruses…
Ajax Security: Stronger than Dirt?
“Ajax allows the development of more feature rich, asynchronous applications, but in doing so opens up new possibilities for attackers. We look at the relevant security issues and their possible solutions. Ajax (Asynchronous JavaScript and XML) lurched into being in 2005. As a web services model, Ajax is touted as the next big thing by many who work in web development. Like all big things however, Ajax is not without its faults, one of the most pronounced being that not many people actually know what Ajax is, and what potential risks could be introduced into enterprise environments by embracing it. This article examines what Ajax is, the security implications for Ajax applications, and details a range of potential attack vectors against this technology together with possible defences.”
Developers Warned to Secure AJAX Design
{smartads}
“Security firm Fortify Software has stepped forward to warn Web site developers that most frameworks for deploying interactive functionality use JavaScript in a way that could lead to their applications leaking user data. The problem, dubbed JavaScript hijacking by the firm, occurs because popular asynchronous JavaScript and XML (AJAX) toolkits use the scripting language as a transport mechanism without due consideration to security. The basic threat is that malicious Web sites could use cross-site request forgery (XSRF) to steal data from other AJAX-enabled Web applications, Fortify stated in a report released on Monday.”
JSON is Not As Safe As People Think It Is
“I saw some discussion recently about using JSON for secured data, and I’m not sure that everyone understands the risks. I believe that JSON is unsafe for anything but public data unless you are using unpredictable URLs. There are 2 problems. CSRF (Cross Site Request Fogery) allows attackers to bypass cookie based authentication. I blogged about it a while ago. Wikipedia talks about it. CSRF allows you to invoke cookie protected actions on a remote server. It allows Mr. Evil to trick Mrs. Innocent into transferring money from her bank account into his. Far less known perhaps, is the JSON/Array hack that allows a user to steal JSON data on Mozilla and any other platform with a modern JavaScript interpreter.”
Myth-Busting AJAX (In)security
“The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true. Even the most experienced website developers and security experts have a difficult time cutting through the buzzword banter to find the facts. And, the fact is most websites are insecure, but AJAX is not the culprit. Although AJAX does not make websites any less secure, it’s important to understand what does.”
New chapter and verse on Ajax Security
“The increased use of Ajax has brought to the forefront concern about its security. Recognizing that this is an issue, the Open Web Application Security Project (OWASP) is updating its Guide to Building Secure Web Applications to include a separate chapter on Ajax. Andrew van der Stock, who is heading the Guide project and who also wrote the Ajax chapter, spoke with SearchAppSecurity.com recently about Ajax security and what risks developers need to be concerned about.”
The Cross Site Scripting (XSS) FAQ
“Websites today are more complex than ever, containing a lot of dynamic content making the experience for the user more enjoyable. Dynamic content is achieved through the use of web applications which can deliver different output to a user depending on their settings and needs. Dynamic websites suffer from a threat that static websites don’t, called “Cross Site Scripting” (or XSS dubbed by other security professionals). Currently small informational tidbits about Cross Site Scripting holes exist but none really explain them to an average person or administrator. This FAQ was written to provide a better understanding of this emerging threat, and to give guidance on detection and prevention.”
Top 10 Ajax Security Holes and Driving Factors
“One of the central ingredients of Web 2.0 applications is Ajax encompassed by JavaScripts. This phase of evolution has transformed the Web into a superplatform. Not surprisingly, this transformation has also given rise to a new breed of worms and viruses such as Yamanner, Samy and Spaceflash. Portals like Google, NetFlix, Yahoo and MySpace have witnessed new vulnerabilities in the last few months. These vulnerabilities can be leveraged by attackers to perform Phishing, Cross-site Scripting (XSS) and Cross-Site Request Forgery (XSRF) exploitation.”
AJAX Security Tools
“We see it all around us, recently. Web applications get niftier by the day by utilising the various new techniques recently introduced in a few web-browsers, like I.E. and Firefox. One of those new techniques involves using Javascript. More specifically, the XmlHttpRequest-class, or object.”
AJAX: Is Your Application Secure Enough?
“aSSL is a library distributed under MIT License thats implements a technology similar to SSL without HTTPS. aSSL enables the client to negotiate a secret random 128-bit key with the server using the RSA algorithm. Once the connection has been established, the data will be sent and received using AES algorithm. aSSL is composed of some Javascript files and a server side component. Because I have recently changed the negotiation algoritm from RC4 to RSA, only a pure Javascript (ASP) server component is currently available. I will do a porting for the main web languages (PHP, Java, Perl, Python, TKL, etc.) as soon as possible once the library has passed the beta phase.”
How to Protect a JSON or Javascript Service
“There have been lots of explanations recently of the dangers of JSON or JavaScript remoting. This post is about what you can do to protect your scripts.”
DOM Security
DOM Based Cross Site Scripting or XSS of the Third Kind
“We all know what Cross Site Scripting (XSS) is, right? It’s that vulnerability wherein one sends malicious data (typically HTML stuff with Javascript code in it) that is echoed back later by the application in an HTML context of some sort, and the Javascript code gets executed. Well, wrong. There’s a kind of XSS which does not match this description, at least not in some fundamental properties. The XSS attacks described above are either “non-persistent”/”reflected” (i.e. the malicious data is embedded in the page that is returned to the browser immediately following the request) or “persistent”/”stored” (in which case the malicious data is returned at some later time). But there’s also a third kind of XSS attacks – the ones that do not rely on sending the malicious data to the server in the first place! While this seems almost contradictory to the definition or to common sense, there are, in fact, two well described examples for such attacks. This technical note discusses the third kind of XSS, dubbed “DOM Based XSS”. No claim is made to novelty in the attacks themselves, of course, but rather, the innovation in this write-up is about noticing that these belong to a different flavor, and that flavor is interesting and important.”
General Client-Side Component Security
Cross site scripting (XSS) errors are generally considered nothing more than a nuisance — most people do not realize the inherent danger these types of bugs create
Hacking Web 2.0 Applications with Firefox
“AJAX and interactive web services form the backbone of “web 2.0″ applications. This technological transformation brings about new challenges for security professionals. This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins.”
Prepare for Attack!–Making Your Web Applications More Secure
“Arm yourself and prepare for battle! This post is intended as a reminder about the possible security attacks your Web application may be vulnerable to. While it is not meant as a comprehensive guide to Web-application security, it can give you some ideas on how to better protect your applications.”
XSS, Cookies, and Session ID Authentication – Three Ingredients for a Successful Hack
“Cross site scripting (XSS) errors are generally considered nothing more than a nuisance — most people do not realize the inherent danger these types of bugs create. In this article Seth Fogie looks at a real life XSS attack and how it was used to bypass the authentication scheme of an online web application, leading to “shell” access to the web server.”
Vulnerability Scanning Web 2.0 Client-Side Components
“Web 2.0 applications are a combination of several technologies such as Asynchronous JavaScript and XML (AJAX), Flash, JavaScript Object Notation (JSON), Simple Object Access Protocol (SOAP), Representational State Transfer (REST). All these technologies, along with cross-domain information access, contribute to the complexity of the application. We are seeing a shift towards empowerment of an end-user’s browser by loading libraries.”
Javascript Security Articles
Community Creators, Secure Your Code!
“Personalization is a great feature–it allows users to make their personal pages come to life by adding colors, pictures, and even sound–but as with any user input, it is a security threat if not properly sanitized. The creation of a secure online community is a balancing act: your users should be able to personalize their pages using pseudo code or actual HTML, while remaining protected from vandals who might inject malicious JavaScript or otherwise cause harm. One piece of the larger security puzzle is cross-site scripting (XSS). In part one of this two-article series, we will look at various XSS techniques you should be aware of, and at common methods of defending your community against them. In part two, we’ll use real-world examples to explore these techniques in greater detail.”
Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
“Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours. This scenario is no longer one of fiction. ”
Javascript Security Tools
“JavaScript has its own security model, but this is not designed to protect the Web site owner or the data passed between the browser and the server. The security model is designed to protect the user from malicious Web sites, and as a result, it enforces strict limits on what the page author is allowed to do. They may have control over their own page inside the browser, but that is where their abilities end.”
“It is a sad truth that JavaScript applications are easily left vulnerable to several types of security exploits, if developers are unwary. Because the Google Web Toolkit (GWT) produces JavaScript code, we GWT developers are no less vulnerable to JavaScript attacks than anyone else. However, because the goal of GWT is to allow developers to focus on their users’ needs instead of JavaScript and browser quirks, it’s easy to let our guards down. To make sure that GWT developers have a strong appreciation of the risks, we’ve put together this article..”
Preventing Cross Site Scripting Attacks
“Cross site scripting (XSS) is basically using JavaScript to execute JavaScript from an unwanted domain in a page. Such scripts could expose any data in a page that is accessible by JavaScript including, cookies, form data, or content to a 3rd party. Here is how you can prevent your web pages from being exploited on both the client and the server. This is followed with tips on how to avoid vulnerable sites.”
Javascript Encryption
“Over the web, JS cryptography can only protect against passive eavesdropping, as the JavaScript itself is downloaded over an insecure link. If an attacker can modify network traffic, they can make malicious changes to the JavaScript code. In any case, JS interpreters are not designed for secure programming. They may leave sensitive information lying about in memory. They’re too slow for some algorithms, e.g. BSD-style MD5 passwords, or RSA with full-size keys. Bitwise operations are buggy in several implementations.”
“This page includes an open source JavaScript implementation of the RC4, AES, Serpent, Twofish, Caesar and RSA ciphers. Ciphers can encrypt and decrypt information such that persons who do not know the password (the decryption key) can not read it. The implemented ciphers are strong enough to protect important information such as your passwords and PIN numbers. ”
About the Author: Max Kiesler is an award-winning strategic designer and co-founder and principal of Ideacodes.com, a web consultancy in San Francisco focused on next generation websites. This article is is licensed under a Creative Commons Attribution 2.5 License.
Written by: Scott Frangos
This entry was posted on Monday, May 5th, 2008 at 8:26 am and is filed under AJAX Help, Web Help. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
June 23rd, 2008 at 11:32 pm
[...] Olivier Cole 375 Free Photoshop Brushes ? Brown Thoughts Extended Q&A with Greg Glover– local Cut Javascript and AJAX Security | WebHelperMagazine.com Tags dj mix software dj mix dj software dj mixer dj turntable dj music dj equipment dj scratch dj [...]