|Join hundreds of InfoSec professionals at our upcoming |
[Global AppSec Amsterdam, September 23-27]
Testing for AJAX Vulnerabilities (OWASP-AJ-001)
- Create a larger attack surface with many more inputs to secure
- Expose internal functions of the Web application server
- Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms
- Login Information and Intrusion Detection
Attacks and Vulnerabilities
Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.
XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.
Increased Attack Surface
Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content.
SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database.
A typical SQL Injection attack could be as follows
- Example 1
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges.
- Example 2
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
The above query helps in dropping all the tables and destructs the database.
More on SQL Injection can be found at SQL Injection (OWASP Testing Guide v2).
Cross Site Scripting
Scripting (XSS) attack.
Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.
The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods to propagate itself invisibly to the user.
This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.
Client Side Injection Threats
- XSS exploits can give access to any client-side data and can also modify the client-side code.
- DOM Injection - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)
<SCRIPT> var pos=document.URL.indexOf("name=")+5; document.write(document.URL.substring(pos,document.URL.length)); </SCRIPT>
- JSON/XML/XSLT Injection - Injection of malicious code in the XML content.
Cross Site Request Forgery(XSRF)
Browser Based Attacks
The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks.
Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.
The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In Samy attack,the XSS Exploit allowed <SCRIPT> in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile
Yahoo! Mail Attack
Here are some of the AJAX Testing Tools
Scriptaculous's Ghost Train is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application.
Squish is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests.
- Billy Hoffman, "Ajax(in) Security",SPI Labs
- Billy Hoffman, "Analysis of Web Application Worms and Viruses",SPI Labs
- Billy Hoffman, "Ajax Security Dangers",SPI Labs
- Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path
- Amit Klein. "DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS", Web Application Security Consortium
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents