Understanding Ajax vulnerabilities
Protect the web applications you create with Ajax
Ajax has boomed in popularity with web developers because it:
- Has the ability to create robust web applications that data-driven websites rely upon
- Is meant to increase the speed and usability of websites
However, the "technology" that many web developers rely on to make their web-based applications imitate traditional desktop applications isn't really a technology at all. Ajax is a collection of technologies, with each technology playing an important role in the finished product. Table 1 shows the technologies included in Ajax.
Table 1. Technologies used in Ajax
|XML||The markup language that allows data to be transferred, manipulated, and exchanged between the server and client.|
|HTML and CSS||The technologies that allow for the design of the UI and presentation of the application.|
|DOM||The technology that drives the dynamic display of content and interaction with the data.|
The entire point of Ajax's existence is to create data-driven websites. But attackers aren't attracted to Ajax only for its use as a web application development tool. Because data—be it financial, personal, or confidential—is the golden fleece of online commodities, Ajax again finds itself a focus of cyber criminals.
In this article, explore some common vulnerabilities and threats to Ajax security, including browser-based attacks, SQL injections, XSS, and Ajax bridging, and learn some preventive measures you can take to protect against attacks.
Know the types of attacks
The famous Samy worm actually started as a joke to gather more friends on a social networking site. The creator of the worm uploaded malicious code, through his profile, which:
- Added anyone who visited his profile to their friend list
- Wrote "Samy is my hero" at the bottom of the victims' profiles
- Replicated itself to everyone on the victims' friend lists
Less than 24 hours after the first person fell victim, Samy had 1,000,000 friends and the site crashed.
Using Ajax doesn't put your website at any greater risk than if you used any other web technologies—especially if you know what the threats are. The rest of this article outlines some of the security vulnerabilities that you can anticipate and plan for in your development activities.
Simple examples of a browser-based attack occur when victims find their home page changed, or they are redirected to a different site when they enter a URL in their browser's address bar. Though annoying and troublesome, these examples are not the worst-case scenarios.
Many browser-based attacks are designed to prevent infected computers from noticing or to mitigate other attacks. Often, an attack on the victim's browser keeps them from accessing a malware removal site or signature file update using the web. Other threats include browser proxying and keystroke logging.
How can an SQL injection be a threat to Ajax? After all, there's no "S" in Ajax. Simply put, SQL injection poses a threat because Ajax runs on the client side. The server side of the web application still requires a database, and that means SQL.
SQL injections occur when the attacker inputs malicious code in a poorly developed area of a website, such as a form. If the site under attack is vulnerable, the entire contents of the database can be exposed. This method of attack was used when a password database was exposed and credit card data was stolen from an online payment system. More recently, the method was used to steal email addresses of fans from a popular entertainer's site. Though no money was stolen, spammers looking to spread malware under the guise of this entertainer's merchandise offers did use the addresses.
To protect your database when using Ajax, you must validate user input with validation occurring on the server side. Parameterized statements, or prepared statements, work to prevent SQL injections because values are not put directly into the database or SQL statement. Instead, a placeholder (also called a bind variable) is used and the values for the placeholder are provided through a separate API call.
XSS is another example of an injection attack where malicious code is inserted into the application. Web applications vulnerable to XSS attacks include browser-side scripts like those common to Ajax. Usually, this type of vulnerability is exploited to pass malicious scripts to unsuspecting visitors to the website. These scripts are responsible for identity theft, stolen cookies, spying on visitors' web use, accessing confidential information, and even denial-of-service attacks.
When developing with Ajax, take the following steps to protect against XSS vulnerabilities.
- Avoid backslash encoding (
- Use the JSON.parse or json2.js library to parse JSON.
- Avoid parsing JSON with the
eval()method, which executes any script included with the JSON.
Just as Ajax is not a specific technology but a collection of technologies, bridging is not a specific vulnerability. Ajax bridging increases the threat landscape by providing an additional avenue of attack for malicious hackers. Attacks such as XSS and SQL injections can be passed through the Ajax bridging service. Although site B might have done everything to protect its web application from threats accessible to its visitors, site A may be used to attack site B using the Ajax bridge that was overlooked.
Avoiding the bridging vulnerability requires trust among sites that provide access to third parties using a bridge. You should also audit how the third-party sites access your website and scan for any vulnerabilities that can be exploited by bridging.
Ajax itself does not present any new or unique security vulnerabilities. Nor should it be considered less safe than any other method of developing web applications. In this article, you learned about some Ajax security vulnerabilities and threats as well as how to take corresponding preventive measures in your development activities.
Protecting against vulnerabilities should be a priority in the early development stages, when you're first planning your application. Frequent testing and scanning should be part of any organization's web security strategy.
- Testing for AJAX Vulnerabilities: Read this section of the Open Web Application Security Project (OWASP) Testing Guide for more information about security issues in Ajax.
- SQL prepared statement: Read this article on Wikipedia for an explanation of a prepared statement.
- Bind parameters in SQL: Learn more about how bind parameters are created.
- XSS vulnerabilities: Get a deep understanding of the nuances regarding filter evasion.
- XSS attacks: Read about 20 high profile sites vulnerable to XSS attacks.
- Web application firewall: Learn more about using this countermeasure.
- developerWorks Web development zone: Find hundreds of how-to articles and tutorials as well as downloads, discussion forums, and a wealth of other resources for web developers.
- developerWorks on Twitter: Join today to follow developerWorks tweets.
- ModSecurity: This application provides a good web application firewall at no cost.
- IBM product evaluation versions: Download or explore the online trials in the IBM SOA Sandbox and get your hands on application development tools and middleware products from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.