AJAX: Is Your Application Secure Enough

AJAX: Is your application secure enough? Navaho Gunleg spilled these bits on April 5th 2006 @ 9:55 am

Introduction

We see it all around us, recently. Web applications get niftier by the day by utilising the various new techniques recently introduced in a few web-browsers, like I.E. and Firefox. One of those new techniques involves using Javascript. More specifically, the XmlHttpRequest-class, or object.

Webmail applications use it to quickly update the list of messages in your Inbox, while other applications use the technology to suggest various search-queries in real-time. All this without reloading the main, sometimes image- and banner- ridden, page. (That said, it will most probably be used by some of those ads as well.)

Before we go into possible weaknesses and things to keep in mind when implementing an AJAX enabled application, first a brief description of how this technology works.

The Basics

Asynchronous Javascript and XML, dubbed AJAX is basically doing this. Let me illustrate with an example, an email application. You are looking at your Inbox and want to delete a message. Normally, in plain HTML applications, the POST or GET request would perform the action, and re-locate to the Inbox, effectively reloading it.

With the XmlHttpRequest-object, however, this request can be done while the main page is still being shown.

In the background a call is made which performs the actual action on the server, and optionally responds with new data. (Note that this request can only be made to the web-site that the script is hosted on: it would leave massive DoS possibilities if I can create an HTML page that, using Javascript, can request thousands of concurrent web-pages from a web-site. You can guess what happens if a lot of people would visit that page.)

The Question

Some web-enabled applications, such as for email, do have pretty destructive functionality that could possibly be abused. The question is — will the average AJAX-enabled web-application be able to tell the difference between a real and a faked XmlHttpRequest?

Do you know if your recently developed AJAX-enabled or enhanced application is able to do this? And if so — does it do this adequately?

Do you even check referrers or some trivial token such as the user-agent? Chances are you do not even know. Chances are that other people, by now, do.

To be sure that the system you have implemented — or one you are interested in using — is properly secured, thus trustworthy, one has to ’sniff around’.

Incidentally, the first time I discovered such a thing was in a lame preview function for a lame ringtone-site. Basically, the XmlHttpRequest URI’s ‘len’ parameter specified the length of the preview to generate and it seemed like it was loading the original file. Entering this URI in a browser (well, actually, ‘curl‘), specifying a very large value, one could easily grab all the files.

This is a fatal mistake: implement an AJAX interface accepting GET requests. GET requests are the easiest to fake. More on this later.

The question is — can we perform an action while somebody is logged in somewhere else. It is basically XSS/CSS (Cross Site Scripting) but then again, it isn’t. My Prediction

Some popular applications I checked are hardened in such a way that they use some form of random sequence numbering: the server tells it, encoded, what the application should use as a sequence number when sending the next command. This is mostly obscured by Javascript and a pain in the ass to dissect — but not impossible.

And as you may have already noted: if there is improper authentication on the location called by the XmlHttpRequest-object, this would leave a possibility for malicious purpose. This is exactly where we can expect weaknesses and holes to arise.There should be proper authentication in place. At all times.

As all these systems are built by men, chances are this isn’t done properly.

HTTP traffic analysis Analysing HTTP traffic analysis with tools like ethereal (yeh I like GUIs so sue me) surely comes in handy to figure out whether applications you use are actually safe from exploitation. This application allows one to easily filter and follow TCP streams so one can properly analyse what is happening there.

If you want to investigate your own application, the use of a sniffer isn’t even necessary but I would suggest you let a colleague that hasn’t implemented it, play around with your app and a sniffer in an attempt to ‘break’ through it.

Cookies Cookies are our friend when it comes to exploiting, I mean researching any vulnerabilities in AJAX implementations.

If the XmlHttp-interface is merely protected by cookies, exploiting this is all the easier: the moment you get the browser to make a request to that website, your browser is happily sending any cookies along with it.

Back to my earlier remark about a GET-requests being a pretty lame implementation: from a developers point of view, I can imagine one temporary accepts GET requests to be able to easily debug stuff without having to constantly enter irritating HTTP data using telnet. But when you are done with it you really should disable it immediately!

I could shove a GET request hidden in an image link. Sure the browser doesn’t understand the returned data which might not even be an image. But my browser does happily send any authenticating cookies, and the web-application on the other end will have performed some operation.

One can modify its own browser, to make request to other websites, but it would be hard to get the browser on somebody elses machine to do this.

Or would it?

If proper authentication, or rather credential verification, still sucks, I can still set up a web-site that does the exact POST method that the AJAX interface expects. That will be accepted and the operation will be performed. Incidentally I have found a popular site that, so far, does not seem to have proper checks in place. More on that one in another article.

Merely using cookies is again a bad idea. One should also check the User-Agent and possibly a Referrer (the XmlHttpRequest nicely allows one to send any additional headers so you could just put some other token in the Referrer-field). Sure these can still be faked — but it may fend off some investigating skiddiots.

Sequence Numbering, kinda…

A possible way of securing one’s application is using some form of ’sequence-numbering’-like scheme.

Roughly, this boils down to this.

One should let the page, or some include javascript, generated on the server side, include some token that the performs some operation on which gives a result which is used in any consecutive request to the webserver. The webserver should not allow any request with another ’sequence number’, so to speak.

The servers’ ‘challenge-string‘ should be as random as possible in order to make it non-predictable: if one could guess what the next sequence number will be, it is again wide open for abuse.

There are properly other ways of hardening interfaces like this, but they all basically come down to getting some fixed information from the webserver as far away from the end-users reach as possible.

You can implement this as complex as you want but can be implemented very basic as well.

For instance when I, as a logged-in user of a web-enabled email-application get assigned a Session-ID and stuff, the page that my browser receives includes a variable iSeq which contains an non-predictable number. When I click “Delete This Message”, this number is transmitted with the rest of the parameters. The server can then respond with new data and, hidden in the cookies or other HTTP Requests field, pass the next sequence number that the web-server will accept as a valid request, only.

As far as I know, these seems the only way of securing it. This can still be abused if spyware sniffs HTTP communications — which they recently started doing.

Javascript Insertion

On a side note I wanted to throw in a remark on Javascript Insertion. This is an old security violation and not really restricted to AJAX, and not an attack on AJAX. Rather, it is an attack utilising the XmlHttpRequest object for malice.

If I would be able to insert Javascript in the web-application I am currently looking at in my other browser window, I would be able to easily delete any post the site allows me to delete. Now that doesn’t seem all that destructive as it only affects that user? Wrong, any user visiting will have its own posts deleted. Ouch.

Javascript insertion has been a nasty one for years and it still is when people throw their home-brew stuff into production.

On a weak implemented forum or web-journal, one could even post new messages — including the Javascript so that any visitor — with the proper permission — would re-post the message keeping the flood of spam coming.

As these technologies keep developing — and lazy website developers do not update their websites to keep up with these changes.

The recent ‘AJAX enhancements’ that some sites got recently might have been improperly implemented. This year might be a good time to check all those old web-applications for any possible Javascript insertion tricks.

If you didn’t mind the cookies getting caught — the sudden deletion of random items and/or public embarrassment might be something to entice you to verify your the code. Digg This Article

Technorati Tags: AJAX, Assessment, Javascript, programming, Security, web application security, web applications, web security, web2.0, web20, webapps

Subscribe to Darknet RSS Feed

Bookmark this post at: Stored in: Exploits/Vulnerabilities, Countermeasures, Web Hacking

Related Posts: - Sprajax - An Open Source AJAX Security Scanner - An Introduction to AJAX - Academic Papers on Web Application Security - Viruses & Malware Monitored on a Dynamic World Map - What Next? The Poker Rootkit of Course! - Donations Flood in for Guilty Security Researcher Guillaume Tena

| 51844 Views |

71 comments trackback this article

1. Ajaxian » Is your application secure enough?

pingback

[…] Ajax security is on everyone’s minds these days, whether it’s just a simple internal application or a large, public-facing hulking app. Worrying about the security of your project is never a bad thing, and to try to help direct your thoughts in the right direction, I wanted to share this post on Darknet.org.uk that asks the question “Is your application secure enough?” […]

2. Subbu Allamaraju

April 5th, 2006 | 2:41 pm

I must say that your analysis is a bit hyped, and most of the issues you list are not specific XMLHttpRequest, and apply to any secure web site.

From your post, I see two key arguments (a) servers can’t tell whether a request is a normal full-page request, or a request for some fragment or data, and (b) don’t use GET. On the first point, you don’t justify why the server should care. You can always sniff headers/cookies etc, and you can change query params at will. That does not necessarily make a site insecure. There are ways to design a site against such changes. I don’t see how this is related to XMLHttpRequest at all.

On the second point, GET and POST have their own semantics and applicability. You may be able to easily recreate a GET request, hey - someone who understands the difference between GET and POST can easily recreate POST requests as well. That does not justify using POST for everything. In fact I would argue that GET should be used for all idempotent requests.

3. aroon

April 5th, 2006 | 2:52 pm

i have to agree with Subbu. Yeah AJAX is ssynchronous but guess what, so are regular http requests…

i dont think AJAX has changed security issues from a server side point of view at all. The www world was stateless before and its stateless now.

4. Ian

April 5th, 2006 | 2:54 pm

You raise fair points, however these are concerns with EVERY web based application, even ones driven by the traditional GET/POST form submission methods. Using a GET request through XMLHttpRequest isn’t by any means flawed or “less secure,” as POST can be “faked” just as easily. It all comes down to doing what is required of EVERY web programmer: assume that all incoming data is unclean. Input validation must NOT be left as an excercise for the client-side of a web. If your ajax script is working with sensative data, you’d better have user/session validation in place. If you’re concerned about session hijacking through a malicious program sniffing HTTP traffic, you’d better resort to using an HTTPS connection, and insist that any session cookies you create are set to only be transmitted across a secure connection. And, most importantly, you’d better assume that any request to the back-end component of an AJAX script contains data that is malformed.

While I think this article serves a prupose for informing new web app designers who have been drawn in by AJAX et. al., these security issues are truly a concern for all web applications, and have been for years.

5. Technological Musings

trackback

AJAX Security…

I read an interesting article today over at Darknet. It brings to light some of the "new" techniques that can be used to exploit newer Web 2.0 applications.The article was an interesting read and got me thinking about application security …

6. Development.2Yellows

trackback

AJAX security…

Slashdot posted a story about security of AJAX calls, actually they posted very little about it, the original story can be found here. Most of the possible security issues described should be considered while writing dynamic web pages too, so we know t…

7. Kevin Mallory

trackback

Is your AJAX secure?…

AJAX: Is your application secure enough? »……

8. c

April 5th, 2006 | 3:38 pm

Instead of using Ethereal, have you seen Fiddler? It’s a GUI tool to analyze (and debug, tamper, replay) HTTP requests.

www.fiddlertool.com

Hey, this comment thingy is pretty cool too.

9. Passion is like genius; a miracle. » AJAX: Is your application secure enough?

pingback

[…] AJAX: Is your application secure enough? […]

10. dburkes

April 5th, 2006 | 3:42 pm

With regard to using POST versus GET, you said the following:

“But I cannot get a script, for instance I could have embedded one in this article, to do a POST request to another website because of the earlier noted restriction: you can only request to the same web-site the web-application is on.”

This is completely untrue. A script can easily create a

node, using standard DOM APIs, create child nodes, then call formNode.submit(). Such a dynamically-created node can submit to any URL- it’s not limited by the same-source restriction.

So your theory that using POST buys you some security doesn’t really hold water.

11. Michael Peters

April 5th, 2006 | 3:48 pm

I agree with most of the previous posts that this article did not say anything new. Any real concerns mentioned are applicable to all web application not just AJAXified ones.

POSTs are no more secure than GETs (but using a POST to simply GET something is wrong, breaks bookmarking, etc); using anything that can be faked (referer, user-agent) for security is just silly;

It all boils down to authentication and authorization, and every web application that needs to protect resources needs to be concerned about those anyway. 12. Navaho Gunleg

April 5th, 2006 | 3:49 pm

Thanks for the feedback.

First of all, yeah the same implications arise as with usual web-applications, no doubt about that.

But never underestimate the stupidity of people in large groups. People think that, because this stuff seems to go on ‘in the background’, not that much care needs to be taken.

Subbu: On GET/POST: GET is definitely easier to abuse than a POST request. As I wrote, such a request GET can be accomplished by simple supplying in an image SRC-tag. For example, if you were on an online email system that uses only GET for its operations, I could send you an email, simply with image links to all types of destructive operations within that email system, for instance to send email to others etcetera. I cannot get an image-link to perform a POST request. Filtering out scripting will take care of fixing any dangers with the POST — but to guard against a GET attack the email- system should disallow images alltogether (which, from a security point of view, isn’t that bad a practice at all though).

BTW, you failed to notice c) sequence numbering — which I really ought to have called session validation tokens — as a suggestion to further harden AJAX communications.

That way — it hardens it a bit more but sure, as all the responders noted its the same for web- applications in general it being the nature of the protocol, so to speak.

But it sure as hell shouldn’t be very, very easy to abuse.

Problem is, you know it, I know it, the people that responded here knew it. But, these issues have been plagueing web-applications for years, and will do still because every few years, with a new fresh crew of web-developers, history starts to repeat itself because one fails to do something or wrongly does so. (Javascript insertion or XSS for example still keep appearing now and then, which with the coming of this object has other interesting complications.)

(BTW slightly off-topic, but there is a more effective way to properly secure web-applications against almost any type of attack. If the webserver wouldn’t ever accept links that it never even has exported in the generated HTML, to that specific IP adress, how about, if a user does request it, it simply rejecting to comply or redirecting the user to the main-page?)

13. robert allen

April 5th, 2006 | 3:50 pm

I did not release that ajax was so dodgey, this will really help my devolpment of my new CMS, ajaxCMS, which i have been making over the last 3 months, and it has taken forever to make public.

Info about ajaxCMS: www.pcwebtalk.com Demo of ajaxCMS: http://ajaxdemo.pcwebtalk.com

And i like the comment preview on this site, cleaver but laggy idea. (at least in my 0.4GHZ

14. How much attention have you paid lately to securing your AJAX application? | Ajax Blog

pingback

[…] Read the entire article: AJAX: Is your application secure enough? […] 15. Navaho Gunleg

April 5th, 2006 | 4:09 pm

dburkes What you suggest is entirely true, but in that situation, the created form will redirect the end- user and prevent it from ever reading the page itself: that would be most succesful if that was done in a seperately created window.

But it will not let the users’ browser, unbeknowst to that user do any wicked stuff somewhere else as is possible with a GET request that could be hidden anywhere, see the subtle difference there?

If, and only if, properly hardened sure GET can be an option as well, but in the end I think using GET or POST boils down to each owns’ well-thought over choice.

I think any experienced person knows that web-based applications, especially very important ones, are evil. But if everybody keeps using them, it’s good to keep conversations like these alive.

There are popular sites pretty easily vulnerable.

Michael: Yeah, using referrer and user-agent fields is lame but as I suggested one can perfectly use these fields as session validation tokens as one has control of the headers with an XmlHttpRequest. This is impossible to fake with any GET or POST. (Note that the danger here is not per se about myself faking communications to perform some action (as would be possible with curl), but more about tricking other peoples browsers into performing such an operation.)

16. Joe

April 5th, 2006 | 4:31 pm

Wow, you are a complete moron. None of this has anything to do with AJAX, its all just basic form security. And not only that, but you don’t suggest security, you suggest obscurity. Well done, ride that web2.0 fagwagon.

17. KR

April 5th, 2006 | 4:39 pm

A basic check for parameters and where the request originated should be sufficient. Any professional application should do this.

If you’re talking AJAX vulnerabilities by messing with the javascript, take a look at the number of sites that are vulnerable to injection attacks which can be more damaging.

18. Joe (another Joe)

April 5th, 2006 | 4:49 pm

A small piece on using Request Tokens to reduce the threat of session-hijacking.

19. Anonymous

April 5th, 2006 | 6:01 pm

Using GET is a major mistake-a-to-make. POST is a lot better, as it harder to fake. The XmlHttpRequest can easily do a POST. But I cannot get a script, for instance I could have embedded one in this article, to do a POST request to another website because of the earlier noted restriction: you can only request to the same web-site the web-application is on. As many other people have pointed out, there’s nothing wrong with using GET for many applications; anywhere where you want the user to be able to bookmark your URL or email your URL is a good rule of thumb.

It appears that you’re saying that you shouldn’t use POST for credential transfer (password login); that’s a bit different than a blanket statement saying don’t use GET. In that case, yes, you’re absolutely right. In fact, the RFC makes that point clear already.

And your other point is not true. You could POST to any website using something like CURL. I think you’re confusing embedded Javascript/XSS attacks with the POST/GET HTTP commands.

Most of your article seems to be implying that GET can be more easily used in cross-site scripting attacks; this is a good point, but really this entire article was about XSS. Sending and email or embedding bad content in a web page is XSS. Using POST will prevent XSS, as you point out, but that’s not a good enough reason.

For example, entries in a search form are best left as GET. That way, the entries will show up in the URL and be bookmarkable and emailable. What would Amazon work like without GET?

I think you wrote a good article; keep up the great work.

20. Carlos Soler » Is Your AJAX App Secure?

pingback

[…] “An article looking in detail at some of the security problems with AJAX, how to find them and how to approach them or fix them. Security with AJAX is of course an important consideration as it’s asychronous and a malicious user could write data back to your database if implemented incorrectly.” […]

21. Anonymous

April 5th, 2006 | 6:11 pm

This is a very silly article. The only thing “harder” about faking a POST as opposed to a GET is that you might use a tool to speak HTTP instead of typing sh*t into your location bar. None of this is real security.

Someone tell me what, from a security standpoint, the difference is between an AJAX GET or POST and a traditional web form GET or POST. Answer: zero.

Next time learn a little about the field before you claim to be an expert, please.

22. Navaho Gunleg

April 5th, 2006 | 6:47 pm

Joe: Yeah it is basic http protocol security, I never meant to say otherwise.

However, if you think I suggested obscurity you either seem to have misinterpreted or I have failed to properly get my point across.

(And web 2.0? If only the end-user was that lucky — rather web 0.2 if you ask me.) Another Joe: Interesting link, that’s indeed a more sophisticated implementation of basically the same idea. The links on the bottom there are quite interesting as well.

The Session Hijacking PDF for instance is a more elaborate article on sessions in general — it basically tells of the same dangers and if you develop web-apps it is definitely worth a read.

Anonymous (1st): I see I totally failed to get one important point across: I was not talking about my, myself, using curl to fake a POST — I have been doing that for ages.

I mean that it should be hard for me to trick your browser into doing a post request somewhere else. It is hard to fend against, on the server side, in a normal HTTP world — everybody that responded hasn’t failed to understand that.

AJAX seemingly has these same faults, but properly implemented this can be done relatively safely (like those page and request tokens mentioned in the link by Another Joe.

Sure I can curl myself senseless in stead of using a real browser to read my own email somewhere.

But I should not be able to trick your browser into doing something you don’t want, by creating a web-form on-the-fly and automatically submitting it when one could’ve guarded against this quite easily.

Anonymous (2nd): I have never claimed to be an expert, nor am I.

And also you have failed to notice that, on the server-side, there definately can be a distinctive difference between an ‘AJAX’ GET/POST request and a traditional one that, from a security standpoint, can reduce abuse to an acceptable minimum.

23. James McDugal

April 5th, 2006 | 6:49 pm

When I read your first paragraph:

“We see it all around us, recently. Web applications get niftier by the day by utilising the various new techniques recently introduced in a few web-browsers, like I.E. and Firefox. One of those new techniques involves using Javascript. More specifically, the XmlHttpRequest-class, or object.”

I knew this would be bunk. There is absolutly nothing “recent” about this technology. It has been built into IE for years. Research before blogging, else look like an idiot.

24. l;

April 5th, 2006 | 6:51 pm

blah whatlol

25. James McDugal

April 5th, 2006 | 6:51 pm

Um, not that you’re an idiot. What I meant was, someone who blogs about a subject without researching the info might look like one. That still didn’t come out right. My apologies in advance.

26. Adam

April 5th, 2006 | 7:03 pm

Ethereal, blah. Clearly you should be using TamperData.

27. aroon

April 5th, 2006 | 7:27 pm

Uh, I seriously hope you see the flaw in this. The first time you publish a website you’ll never be able to access it…

28. Jim

April 5th, 2006 | 7:34 pm

There is a claim above that he can’t create a page using AJAX to communicate with a server other that the webserver which created the page. This may be true, but you don’t have to use AJAX. We’ve been doing AJAX-like stuff for years by simply using an iframe (you can give it 0 size so you don’t see part of the page reloading over and over) and then using simple JavaScript, you can hit whatever URL you want…including the urls that return AJAX conent.

29. Anon

April 5th, 2006 | 7:59 pm

“As these technologies keep developing — and lazy website developers do not update their websites to keep up with these changes.”

Sometimes the “lazy website developers” try to get people to listen to them about security risks like this and they fall on deaf ears. Before you roll out your jump to conclusions mat, and leap to who’s fault this is, start with blaming management and work down.

But hey, thanks a lot for the insult asshole.

30. Project :: penk i blog » Blog Archive » 本日書籤

pingback

[…] http://www.darknet.org.uk/2006/04/ajax-is-your-application-secure-enough/ […]

31. Anonymous

April 5th, 2006 | 9:04 pm In reference to “lazy website developers”, we actually would like to develop secure web applications. But do not have time to invent the wheel. We would love a book or two that not only shows the problems but how to design/code around them.

32. Bruno Ripa » Blog Archive » Ajax security

pingback

[…] A questo indirizzo un interessante tutorial per Ajax, a proposito della sicurezza. Io l’ho trovato molto interessante. […]

33. Goober

April 5th, 2006 | 9:09 pm

He, he, he, he! Wow! This is all very funny. The security issues I’m currently plugging are far more evil than session-hijacking.

This artical could have been shortened to just: Use SSL/TLS or die!

34. BC

April 5th, 2006 | 9:22 pm

I don’t understand this entire article. I have never had to worry about any of this because I have done security the right way, on the server side on every request. This makes it impossible for a user to effect other users in anything I have written.

Each and every work around in this article makes it more difficult, but its like an alarm system, it will never deter the most serious threats.

Why is it that everyone wants to add complexity to a function that I was using 7 years ago on the web and have never had a sinlge security problem with.

Also, the growing trend is to open-up your web systems and allow users to manipulate them in new ways. The type of client-side clamp down of AJAX is un-necessary and runs counter to current trends.

Why do we need to wrap secuirty around HTTP requests in any other way then we do for a regular web page. If someone can explain to me why building security into the right layer of an application would still open my applications to security risks via AJAX, I might change my position, but this artilce certainly didn’t.

35. LGW

April 5th, 2006 | 9:27 pm

Nice article, but there’s one problem with it: you fail to point out that most of it is not about security against malicious users directly accessing the web page, but about malicious scripts (CSS and stuff) that exploit web applications directly from the users browser.

That’s why everyone is bashing you for postulating POST is “better” than GET, which it is not when it comes to basic webapp security, but when you try to do intrusion protection (like your scenario with the ). I needed a while and all your replys to the comments below the article to understand what you are trying to say here, and yes, you are right: CSS stuff like the img examples is much more complicated to fake when using POST.

Anyway, nothing of this is about Ajax security, because the img-get-link scenario would as well apply to an application that does without using Ajax.

So, it just boils down to “beware, Ajax is just as (in)secure as the whole rest of your application, so make sure it’s secure”.

BTW, I think that the only thing that fixes CSS is validating input data correctly. When you let “input through unfiltered”, you are lost anyway.

36. Sam

April 5th, 2006 | 10:01 pm

1) Anyone not authenticating every request to the server is doomed. (Attacker can hit the server directly.)

2) Anyone allowing the end user to post any html content to a site that can be viewed by another user without parsing the html and reformatting it is doomed. (XSS)

3) Anyone not html escaping there parameters(including file names if files are gotten by name) are doomed. (Emailing an image or setting an image filename to something like “delete?all=true&.jpg”)

All of these attacks were available before AJAX, it’s just that since people expose functionality with a finer grain, and have more functions exposed with AJAX, there will be more problems, and attackers may be able to perform some specific actions that they may not have been able to do before.

There is nothing wrong with trusting random cookies.

The best solution might be to create and map random urls… This is a good arguement for continuation based frameworks, as they really need to create random url’s to identify which continuation to load. (ie where to pick back up in the application)

37. spyrral