AJAX and security

September 6, 2006

This article was contributed by Jake Edge.

Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Unfortunately, AJAX also provides a number of serious security issues that should be considered and, at least partly because the technique is relatively new, many of the tutorials and other documentation completely disregard the security implications. Developing secure code rarely gets the attention it deserves and new technologies are typically slow to develop 'best practices' and to disseminate that information throughout their community. This can only lead to exploits in the future.

Traditional web applications are synchronous in nature, a user clicks a button or link which sends a request to the server; the server replies with a page of HTML and the browser displays the new page. AJAX applications do some amount of work in the background, making requests of the server, sometimes without explicit user input. These applications do not refresh the entire page as they receive replies from the server; they only modify parts of the page or their internal state which gives users a much smoother, less page oriented experience.

One of the best known examples of an AJAX application is Google Maps. While the user is viewing a particular section of the map, the client requests other sections of the map that are not yet visible and this allows the user to seamlessly scroll the map to view off-screen sections. Auto-completion for text fields, automatically updating form elements and form submission without a page refresh are other common uses for AJAX in these 'Web 2.0' applications.

In order to handle the asynchronous server requests, AJAX programs use the Javascript XmlHttpRequest (XHR) object. The name of this object is really where the X in AJAX comes from as XML is not necessarily used in the XHR request or response. A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Various queries and requests that were once handled internally on the server are now exposed as a de facto API for AJAX applications. This drastically increases the attack surface of these programs because there are so many additional ways to potentially inject malicious content. Filtering user input correctly is, as always, the single most important safeguard for a web application; this is an area that traditional web applications have regularly failed to handle correctly. It is difficult to see how adding additional ways to get user input into the application is going to help this problem.

SQL injection and Cross-site scripting (XSS) are two attacks that can be made against an application that does not filter user input correctly. AJAX techniques allow for additional ways to exploit these vectors in the background, undetectable by the user. The Myspace samy worm (more technical description here) is an example of the kinds of things that can be done. At the recent Black Hat Briefings, there was a session describing a port sniffer written in Javascript that could potentially discover internal network details behind a firewall and report them to a malicious site.

The requirement that XHR objects refer only to URLs on the same server is an excellent security choice. Unfortunately, it is probably the single biggest complaint that web designers have about AJAX. Because they often want to display information from various sources on the same page, the restriction is considered to be 'too strict' and to get around it, AJAX bridges came about.

An AJAX bridge proxies requests to other servers, returning the remote server's response. This allows XHR objects to refer to URLs on the server that returned the page, but still retrieve content from other servers elsewhere in the web. Unfortunately, this can lead to various abuses. Depending on how it is written, the bridge can provide a means to attack the third party site via SQL injection or XSS and allow the malicious user to hide behind a level of indirection. Various monitoring tools could detect the attack and shut down access for the aggregating site, effectively causing a denial of service attack. By proxying requests, a site is implicitly trusting its users not to abuse the APIs of third parties.

Many of these attacks are not new, nor do they require AJAX to function, but by incorporating AJAX techniques into web applications, they are made easier. At one time, it was considered reasonable to turn off Javascript for many or all sites, but with the prevalence of Web 2.0 applications, this just is not possible for most web users. Web application developers need to be vigilant in rooting out the bugs that allow these attacks to succeed.

Index entries for this article
GuestArticles	Edge, Jake

to post comments

AJAX and security

Posted Sep 7, 2006 4:27 UTC (Thu) by mrshiny (guest, #4266) [Link] (8 responses)

I'm curious about real exploits that are made possible by AJAX that don't exist otherwise.

Frankly, from the server's perspective, you still have an untrustworthy client making requests to a publicly available service. This is not new. The fact that you can dynamically request part of a page instead of a whole page changes nothing.

Also, the notion that SQL Injection or XSS attacks are somehow made worse in the presence of AJAX is strange to me. For one thing, XSS has always been able to use XmlHttpRequest, and can do so even if the host site doesn't normally use AJAX. Also, SQL Injection is a plain case of developers writing bad software, just like buffer overflows. This is a question of developer education and has nothing to do with AJAX.

Finally, an AJAX Bridge sounds just like an HTTP proxy; running an open proxy is stupid (from a security standpoint) and so is running an AJAX bridge.

The only real "news" here is that an AJAX enabled site may require javascript, which is true, but I think frankly uninteresting. Most users have found that navigating with scripts turned off has been basically impossible for years on most sites.

AJAX and security

Posted Sep 7, 2006 7:02 UTC (Thu) by dlang (guest, #313) [Link] (4 responses)

what's different is that in a traditional web application (CGI, Java, PHP, etc) you know that your internal functions really are internal, they can't be called without going though your main pages, and you can do your input validation in those main pages.

With AJAX, those 'internal' functions are being called over the Internet by your app running on the client. At that point they are no longer internal, they are exposed to the world and each one needs to do it's own input validation from scratch, they can't assume _any_ filtering by the rest of the app.

unfortunantly the people pushing the AJAX approach tend to ignore this fact, they treat all the little helper programs as if they were only going to receive input from the app, and so they tend to have lots of problems as a result.

it's not that these vunerabilities are unique to AJAX, it's just that the opportunity to make these sorts of mistakes are much more common, and the prevaling mindset isn't prompting people to look out for them (after all, if the server side is written in Java it must be safe, right? ;-)

a suitably paranoid and carefully written AJAX app can be just as safe as any other app (in fact, since each function tends to be called as it's own URL there are forces pushing for better seperation of different functions into different, small, easily checked programs rather then throwing everything into one large, complex, monolithic program), but without the extra care it is far more likely to have security holes in it

the key thing to remember is that any input any routine receives over a communication channel needs to be treated with suspicion, it doesn't matter what you _intend_ to have come over that channel, the fact that that channel is external to your routine makes any data that comes over it suspect.

it doesn't matter if that channel is the Internet, a call across a local network, a modem line, or a file written to the disk by another program, a unix socket, or anything else you want to name. you can't really _know_ that the source of the data is the program that you think it is.

Even encryption is of limited help here, if the other endpoint gets comprimised the new owner of it has access to everything on that machine, including any encryption keys stored there, and the ability to initiate traffic from that 'trusted' IP address.

there have been servers comprimised via certificate authenticated SSH (without there being any known bugs in the SSH software) a remote machine gets comprimised and then that machine is 'trusted' (becouse it presents a known cert and IP) to the real target machine.

this does mean that layered, component software requires more checks then monolithic applications, but it also means that the bad guy has more things they have to go through, and as the bad guy is working on breaking each of the layers, you have more chances to catch him and respond (even if each layer is vunerable to the exact same bug you buy a little time as the bad guy has to learn what the next layer is)

remember, that if your component is only supposed to be connected to by your own application (and has network defenses in place to help enforce this), invalid input to your component isn't just a typo to be corrected or silently ignored, it's an indication of an active attacker who has already broken through your first line(s) of defense and you should start setting off alarms (this is assuming your other components are written properly, if they aren't this is an indication of bugs in those components, which are probably still worth setting off alarms for :-)

with AJAX your internet exposed components probably don't have the benifit of being able to say that they only get connected to by your own stuff, so you can't set off as many alarms (although in a suitably important application you could do things with client certs issued to each machine during a login or registration process, at which time invalid input with a valid cert indicates a compramised client machine)

</security rant>

David Lang

AJAX and security

Posted Sep 8, 2006 15:32 UTC (Fri) by jbellis (guest, #14804) [Link] (2 responses)

"With AJAX, those 'internal' functions are being called over the Internet by your app running on the client."

If your framework really exposes all internal functions to AJAX callers, you should use a better framework.

(If not, such hyperbole is silly.)

AJAX and security

Posted Sep 8, 2006 16:03 UTC (Fri) by dlang (guest, #313) [Link] (1 responses)

I'm not saying that ALL of your internal functions are exposed, but the various things that are called by the browser javascript to perform actions are viewed by most ajax folks as being internal functions

i.e. there is never any intention of a browser connecting to them directly, only the javascript that's loaded from another page ever connects to it. and the viewpoint is that since you control that javascript you control the input to those routines.

these are the 'internal' functions that are exposed.

really good architects won't consider these internal, but far to many people do :-)

AJAX and security

Posted Sep 8, 2006 22:34 UTC (Fri) by mrshiny (guest, #4266) [Link]

But frankly this is not a new phenomenon. There have been tons of sites in the past that have done things like generate SQL on the client, or store permissions in cookies, or other stupid things. Ajax changes nothing; saying that there are security issues with Ajax is misleading.

The article seems to imply (in its headline mainly) that Ajax has security problems, and conversely that not using Ajax is secure. This article would have been better conceived as an article about web programming, with only a single paragraph dedicated to Ajax in particular. The security risks are real; let's tell all web programmers about them, instead of scaring people away from Ajax, or giving non-Ajax users a false sense of security.

AJAX and security

Posted Sep 9, 2006 16:03 UTC (Sat) by dps (guest, #5725) [Link]

I do not think AJAX exposes internals more than traditional web apps, but it might well lead to a more featurefull HTTP interface and therefore increase the range of things that can be attacked. The more you shift work onto the client the bigger this effect becomes.

Even in a tradiaional web app how do you know that your a backend was really called by pressing a button on its front end? AFAIK this is too difficult and instead the focus is usually on making sure the backend does what is supposed to do and nothing else. This might include not doing anything for those not duly authorised.

I know you can make HTTP requests within java applets wuithout relaoding the page, pass the results back to javascript and use DOM methods to change the page based on the results. The "internal" pages involved could also be (ab)used from elsewhere and need to take account of that fact.

AJAX and security

Posted Sep 7, 2006 13:28 UTC (Thu) by erich (guest, #7127) [Link] (2 responses)

Hi,
Ajax doesn't really allow you to do new stuff - so why should it allow new exploits? It just makes them fancier.

Face it: Ajax makes code auditing and such things a lot harder. If you're using Java, you can run all kinds of code verification tools. Is there any such thing for Ajax? Do you have unit tests for your ajax?

AJAX and security

Posted Sep 10, 2006 0:04 UTC (Sun) by mrshiny (guest, #4266) [Link]

There should be no reason why you can't write unit tests for AJAX applications. For one thing, the server-side component can be easily tested by calling it from a test harness such as httpunit. The java-script side may be trickier, but nothing stops you from writing a javascript test harness, in fact there may be one.

Furthermore, as AJAX techniques become standardized, standard tools such as unit test libraries will become more widely available and used. Currently Ajax programming is very bare-bones; once there is a large body of AJAX code there will be corresponding tests.

AJAX and security

Posted Sep 10, 2006 8:37 UTC (Sun) by dion (guest, #2764) [Link]

Well, there are some very nice and easy units to test when using ajax, namely all the urls that the ajax code will run.

I thought the point of the article was that with ajax you have n+1 more urls to audit and that in itself might mean that it's harder to ensure security.