download ppt

Post on 19-Jan-2015






Click to see full reader




Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation


AJAX – New TechnologiesNew Threats

Dr. David MovshovitzIDC – School of Computer Science dmovshovitz@gmail.com0544233779



Lecture Agenda

Browser Technology Overview

What is AJAX

The XHR Object

AJAX Advantages

Web Application Architecture

JavaScript Browser Security

“Same Domain Policy”

AJAX Bridging

AJAX & Application Security - What’s new in Web 2.0

Exposure of Internal Details

Input Validation

Intranet Hacking


AJAX Security is a Real Problem


Browser Technology Evolution

Static HTML documents, one site at a time

Data content from different sites (images, frames)

Programmability with DOM (JavaScript)

Dynamic HTML (JavaScript)

AJAX & client-side mashup applications

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation


What is AJAX


What is AJAX?

AJAX (Asynchronous JavaScript + XML) is a combination of web browser technologies that allows web page content to be updated “on-the-fly” without the user moving from page to page.

Coined by Jesse James Garrett of Adaptive Path

Not a language!

Uses JavaScript on the client and any Language on the Server

Ajax is the latest inheritor of the Dynamic HTML mantle, and allows for the development of feature rich and practical web applications.

Dynamic HTML - a DHTML webpage is any webpage in which client-side scripting changes variables of the presentation definition language, which in turn affects the look and function of otherwise "static" HTML page content, after the page has been fully loaded and during the viewing process.

AJAX is commonly used along with DHTML to provide enhanced user interface.

AJAX and DHTML are two separate things


What is AJAX? (cont.)

In the background of an AJAX-enabled web page, data is transferred to and from the web server.

The mechanism for performing asynchronous data transfers is a software library embedded in all modern web browsers called XMLHttpRequest (XHR) .

AJAX web application uses an XHR JavaScript object to poll data from a remote web server and then manipulate this data to output to a web page utilizing the DOM

“Ajax Engine” - the XMLHttpRequest (XHR) Object

Allows us to send information to the server without post backs

Makes the request and receives the data back

Can be asynchronous or synchronous

XHR is the key to a website earning the “AJAX” moniker. Otherwise, it’s just fancy JavaScript.


Adaptive Path’s Original Diagram

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation


The XHR Object


XHR Object Methods

Method Description

abort() Stops the current request

getAllResponseHeaders() Returns all header (labels/value) sets

getResponseHeader("headerLabel") Returns value of a specified header label

open("method", "URL"[, asyncFlag[, "userName"[, "password"]]])

The heart and soul! Sets destination URL, method, and other optional attributes

send(content) Transmits the request

setRequestHeader("label", "value") Assigns header to be sent with a request


XHR Object Properties

Property Description

onreadystatechange Event handler for an event that fires at every state change

readyState Object status integer

responseText String version of data returned from server process

responseXML DOM-compatible document object of data returned from server process

status Numeric code returned by server, such as 404 for "Not Found" or 200 for "OK"

statusText String message accompanying the status code


The XHR Object

The XHR open() - open("method", "URL", asyncFlag);

method = GET or POST

URL = Page to request

asyncFlag = True or False

The XHR Send parameters – send(content)

Send is like clicking the submit button on a form.

The parameters should be set to null or empty string if you are not posting any information.

If you are posting, the name/value pairs should look like a query-string without the question mark, i.e. req.send("foo=bar&ajax=123");

If you are using GET, append the values to the URL in the open method


XHR Object Properties

Onreadystatechange - The objects only event handler.

It is fired only when in asynchronous mode (3rd parameter is set to true in the open method)

It is fired a total of 4 times.

We can assign a reference to a function or build a anonymous function to it

req.onreadystatechange = functionName;

req.onreadystatechange = function(){ //statements }

readyState values

0 – Uninitialized; The initial value when new reference to Object is created

1 – Open; The open() method has been successfully called.

2 - Sent ; The request made it, but no data has yet been received.

3 – Receiving; All HTTP headers have been received.

4 – Loaded; The data transfer has been completed. We can now play with the data!


Example of XHR Object

var request = new XMLHttpRequest();

request.onreadystatechange = myFunction;"GET", "", true);


function myFunction() { if (req.readyState == 4) { doSomethingWith(req.responseXML); } else if (req.readyState == 3) { showProgressIndicator(); }}

Web applications uses the XmlHttpRequest object for

Dynamically load XML or JSON formatted data files Use DHTML to alter the page based on the data


Basic Example of Request code


var req = GetXHRObject();"POST", "secure.php", true);

req.onreadystatechange = finishRequest;


Regular Form POST

<form action="secure.php" method="POST">

<input type="text" name="foo" value="bar">

<input type="hidden" name="ajax" value="123">

<input type="submit" name="sub1">


Simple Scripted Attacks On A Server

var req = new Array();

for(var i = 0; i<1000; i++){

req[i] = GetXHRObject();

req[i].open("POST", "secure.aspx", true);

req[i].onreadystatechange = function(){};

req[i].send("foo=" + i);


Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation


AJAX Advantages


What is AJAX used for?

Data retrieval

Send data to the server for processing.

Form Validation

Anything you might load a new page for.

It is possible to build “One Page” Ajax Applications.


AJAX Advantages

Rich applications in modern browsers

Rich UI experience in a Web page

AJAX technology makes website interactivity smoother and more responsive

No more dreaded page refreshes

Very user-visible effect

In the case of Gmail, new email messages are displayed as they arrive automatically.

No issues with installation

Portable across browsers

All advantages of zero-install Web app

Built upon existing infrastructure – TCP/IP, XML, HTTP, SSL, etc.

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation


Web Application Architecture


The Browser is the new “OS”

The browser has become a homogeneous execution platform

JavaScript is much more powerful

Object Oriented

Extendable: = function() {…}

Dynamic code execution

Regular Expressions

Very rich interface to/from browser/plugins

If JavaScript can’t do it, Flash/Java can


Web 1.0 to Web 2.0 Conversion


Architecture of Traditional Web Applications

Browser — A thin client

Most of the Application logic resides almost exclusively on server

Flow/business logic

Presentation logic

Client acts as a dumb terminal sending actions to the server

Server does all the processing and returns whole new page


Attacks Against Traditional Web Applications

Attacks involve:

Sending malicious data

Sending code as data

Trying to access unauthorized data

Malicious input/command hits edge cases in application design


Validate input parameters

Use proper authentication

Use proper authorization


Architecture of an AJAX Application

Browser—Rich/thick-client application

Application logic resides both on client and server

JavaScript™ technology takes on a bigger role

Uses XmlHttpRequest object

Fetch any kind of resource

HTML, GIF (view centric)

XML, JSON (data centric)

JavaScript technology (code centric)

Client DOM tree is being manipulated


Attacks Against AJAX Applications

Traditional web application attacks still apply

Attacker is inside your application

Knowledge increases

Larger attack surface

Data serialization from unknown/untrusted sources

Companies migrate to AJAX without much thought to security

In the case of mashups, attacking 3rd-party servers

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation


JavaScript Browser Security“Same Domain Policy”


JavaScript Security in the Browser

“Mobile code” = potential security risk

Browsers execute JavaScript code in a sandbox

Restrictions on JavaScript code in the sandbox

Cannot read/write files from/to the local system

Cannot execute any other programs

Cannot read the history of the browser

Cannot close a window that mobile code did not open

Cannot open a window that is too small


Browser’s “Same Origin” Policy

Also called “Server of Origin” Policy

“Origin” = (protocol + host + port) parts of the URL

Restriction limits interaction between frames, iframes, and script tags from different origins

Prevents client-side JavaScript from making requests to any server other than the server from which it was downloaded

Restriction has been extended to include XMLHttpRequest

XHR has security protections built-in, preventing a user’s browser on Website A from making connections to Website B, to protect users from malicious websites

Can only load XML from originating server

Different browser vendors implement this security somewhat differently


“Same Origin” Policy for AJAX


More “Same Origin” Policy Cases


Proxy Remote Services

Also called “AJAX Bridging” or “Server-Side Proxy”

3rd-party proxy such as Apache mod proxy or custom proxy

Has performance / security limitations


The Remote Proxy Solution

Developers often create a local HTTP proxy on the host web server.

To have the client pull in data from a third-party website, they’ll direct an XHR request through the local proxy pointing to the intended destination.

Consider the following example request generated by the web browser:


Website A takes the incoming request, and sends a request to Website B designated by the “URL” parameter value.

The security issue is that Website A is hosting an unrestricted HTTP proxy, and attackers love open proxies because they can initiate attacks that cannot be traced to their origin.

The capabilities of the proxy should be carefully controlled and restricted with regard to which websites it will connect to and how.


Security Issues with AJAX Bridges

An Ajax-enabled online book store called wants to access some of the Web services that provides, such as an author search or genre recommendation service.

While anyone can sign up for a free account to access’s Web services, these free accounts have very limited privileges:

The number of unique queries,

The number of simultaneous queries,

The number of hits per second will be set very low.

A formal partner agreement between the two companies allows to access with fewer restrictions.


Security Issues with AJAX Bridges

If the attacker wants to copy the entire author database from,

he or she can simply issue thousands of queries to the Ajax bridge running on

The relationship between the two Web sites allows the attacker to extract more data by going through than if he or she had used a free account directly from

It is common in these situations for to limit the number of queries it has to make, reduce bandwidth, and improve performance for its users by caching the results it receives from

Since the attacker’s query may already be in the cache, the attacker may be able to extract data faster by using


Security Issues with AJAX Bridges

An attacker can also send malicious requests through the Ajax bridge from to using the bridge is another layer for the attacker to hide behind.

An attacker, may cause a Denial of Service attack against all users.

if an IPS at detects the malicious requests coming from’s IP address, and then automatically blocks all requests from

It is possible that will not detect the attack being relayed through the Ajax bridge.

if does not scrutinize the requests it receives from for malicious content as closely as the requests it receives from others.

This is common practice, since the two parties have an agreement to help each other and there is an immense amount of traffic coming in from

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation


AJAX & Application Securityor What’s New in Web 2.0


Major Cause Of Security Concernswith AJAX based Applications

Anyone CAN View the Source

Anyone can see the page that it is requesting from the JavaScript code!

Anyone can see the parameters being sent!

Anyone can see the validation!

Anyone can see the Business Logic!

XHR Object can be used to make requests without the users knowledge.

Attacker can also use images, iframes, frames, popup windows.

AJAX model uses WebServices

More Ajax Functionality = More WebServices = More places to attack (Just need to forget one thing to make a new hole)

AJAX Adds More Attack Vectors


Exposure of Internal Details – What’s new in Web 2.0?

Better tools to analyze client-side code

Firebug (view DOM tree, put breakpoints, alter values)

Watir - Ruby-based tool

Selenium - Java technology based Tool

Much more client-side code for hacker to view and dissect

Potentially more client-side comments for hacker to view

Better social community (blogs, newsgroups, forums)


Exposure of Internal Details – What’s new in Web 2.0?

Hackers’ knowledge has increased

Application architecture/design details

Program business/logic flow details

Function names, variable names, return types

Helps build a footprint of the web application

Direct API access

Developers encouraged to expose more web services

Attacker calls your backend functions directly

Bypasses logic in the client side

Calls functions out of order


Exposure of Internal Details - Countermeasures

Do not give out unnecessary information

Remove comments from HTML/JavaScript technology code

Developer names, design details, notes, build numbers

Use build-time tools to remove comments

Turn off WSDL for your web services

Many tools auto generate WSDLs — turn them off

No need to expose all services, inputs, and types to users

Is AJAX the appropriate technology?

Use traditional web-application technology where security is a high priority

Obfuscate your JavaScript technology code


JavaScript Code Obfuscation

Obfuscation is not fool-proof Obfuscation can make maintenance, debugging, and code

review harder which degrades security


Input Validation What’s new in Web 2.0?

Validation confusion

Where is the validation done (client/server/both)?

With Sophisticated drag and drop IDEs, validation details are hidden

Complexity of data has increased

Lack of good toolkits/regular expressions available to validate these types of input

What input gets validated?

Developers usually validate GET/POST parameters

Developers often forget about HTTP Headers

Developers forget about file input (images, audio, video)

Trusting data from B2B partners

Mashups are bringing data from non-validated sources


Improper Validation Countermeasures

Never trust the client!

Validate all input data to the application

Use strong validation techniques

Correctness, type, format, length, range, and context

Use white-listing instead of Black-listing

Escaping input if possible

Always validate on the server side

Server-side validation = data integrity and security

Client-side validation as a subset of server side

Client-side validation = usability and performance

For mashups, never trust the external server


Client Validation for AJAX Response

Developers usually forget that the AJAX response is not perfect

Developers doesn’t validate the AJAX response

Usability and Security issues


Make sure the data is what you expect it to be!

Validate your data

Use regular expressions to check for patterns

Look for key parts of the expression

Look for things that do not belong

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation


Intranet Hacking


Intranet Hacking

We tend to believe that while surfing the Web we are protected by firewalls and isolated through private network address translated Internet Protocol (IP) addresses.

With this understanding we assume the soft security of intranet Web sites and the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, and so forth, even if left unpatched

Nothing is capable of directly connecting in from the outside world. Right?

Web browsers can be completely controlled by any Web page, enabling them to become launching points to attack internal network resources.

The Web browser of every user on an enterprise network becomes a stepping-stone for intruders.


Exploit Procedures

A victim visits a malicious Web page or clicks a nefarious link; embedded JavaScript malware then assumes control over their Web browser.

JavaScript malware loads a Java applet revealing the victim’s internal NAT IP address.

Then, using the victim’s Web browser as an attack platform, the JavaScript malware identifies and fingerprints Web servers on the internal network.

Attacks are initiated against internal or external Web sites, and compromised information is sent outside the network for collection.


Port Scanning Behind your Firewall

JavaScript can:

Request images from internal IP addresses, e.g.<img src=“”/>

Use timeout/onerror to determine success/failure

Fingerprint webapps using known image names


MaliciousWeb page


1) “show me dancing pigs!”

2) “check this out”




scan3) port scan results

top related