AJAX Security

From Computing and Software Wiki

Revision as of 23:08, 12 April 2009 by Leungg2 (Talk)

(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)

AJAX stands for Asynchronous JavaScript And XML. AJAX is a type of programming, it is not a new type of technology, but instead, a combination of existing technologies used for a robust foundation for web application. These technologies include:^[1]

HTML and Cascading Style Sheets (CSS)
Document Object Model (DOM)
XML
XML HTTP Request
JavaScript (JS)

The use of AJAX provides faster and more user friendly web applications than traditional web sites.

Functionality

Traditional Process

The process of tradition website function by the user making a request, and the browser sends the request to the appropriate server. The server generates the requested web page as a response and the data is sent to the client. This process is all done synchronously.^[2]

How AJAX works

Ajax adds an extra layer of functionality in the communication model. Ajax engine acts as an intermediate between the user interaction to the browser and the server system. A full page is loaded only once when it is requested first time. Ajax engine, as an intermediate, takes the request for small segment of the page, which then requests information from the web server asynchronously.^[3]

Ajax uses Javascript to make requests to the server using the XTTPRequest Object.
The response is then handled by a Javascript method which processes and manipulates the data recieved from the server. This can be done by the onreadystatechange method of the HTTPRequest Object.
A request is made by the open() and send() method of the HTTPRequest Object in Javascript.
The open() method is implemented using these parameters:

First Parameter:

Name of HTTP request method (GET, POST, HEAD etc.)

Second Parameter:

URL of the requested page to read data from.

Third Parameter:

A boolean value (TRUE, FALSE), to specify whether the request is asynchronous or synchronous.

The send() method is sent with variables that are needed for the request in its parameters.
The readyState property is used to check the state of the request.
The status property is used to check the status of the HTTP server response.
The response data can then be retrieved from responseText (returns data from server in plain text) or responseXML (returns data from server in XML format).^[4]

Advantages of AJAX

Non Ajax Request^[1]

Ajax Request^[2]

AJAX is used for being able to provide users with a greater web browsing experience due to faster and more interactivity compared to traditional web technologies.

Its main advantage is the use of the XML HTTP Request which allows a web page to refresh a small portion of its data from a web server(asynchronously), rather than being forced to reload and redraw the entire page as in traditional web programming. ^[5]

Current website using AJAX include Google Calender, GMail, Yahoo!, NetVibes.^[6]

Security Vulnerabilities

Due to the increase popularity of AJAX and companies reliance of internet technology, web based applications have become more prone to attacks. Organizations must be prepared and secure themselves from the security risks.

By its nature, AJAX increases interactivity, it also allows for more network traffic which consequently increases the chance of attack that may not have been accessible with traditional technology.

AJAX technology is more of a white box application.The Ajax engine uses Javascript to capture the user commands and to transform them into function calls. Such function calls are not encrypted and sent in plain visible text to the server and may easily reveal important and private data which may be manipulated by a hacker.^[7]

Although it is possible to obfuscate JavaScript, it only makes the code more difficult but not impossible for hackers to read.^[8]With this information, a hacker can easily use AJAX functions without the intended interface by crafting specific HTTP requests directly to the server.^[9]

Types of Attacks on AJAX

Cross-Site Scripting (XSS)

One of the major concerns of attack that exploits AJAX through Cross Site Scripting. Maliciously injected scripts can actually leverage the AJAX provided functionalities to act on behalf of the user thereby tricking the user with the ultimate aim of redirecting his browsing session. XSS commonly targets scripts embedded in a page which are executed on the client-side rather than on the server-side. XSS exploits the internet security weaknesses of client-side scripting languages, with HTML and JavaScript as the prime culprits. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.^[10]

Example

HTML Code^[3]

AJAX Code^[4]

The example follows a site with the same function, to report back the temperature given a zip code. There are two different methods of implementation, the first is in the traditional HTML way and the second is by AJAX.

The source code for both versions are provided by the images titled 'HTML Code' and 'AJAX Code'.

If a hacker were to try and exploit the website, they would first try to view the source code of the page. In the HTML code, the source code is black box and the only information the hacker would extract from the code is that the method of retrieving information from the server is through a POST command through PHP.

On the other hand, the AJAX version of similar functionality, the code is white box and the functions used for the web page are transparent. It is quite apparent how the weather is calculated, the function getRadarReading makes an asynchronous call to a Web service to obtain the current radar data for the given ZIP code. The radar data XML returned from the Web service is parsed apart (in the handleReadingRetrieved function) to find the “cloud density” reading. A second asynchronous call getForecast passes the cloud density value back to the server. ^[11]

With this vital information hackers and inject malicious code into known functions of the AJAX code and manipulate the data to his liking. A hack into a simple weather page make not have detrimental consequences however if a hacker where do inject code through XSS onto a banking web page, for example, the hacker will be able to retrieve and change important information from many accounts hosted by the bank's server.

References

Are AJAX Applications Vulnerable to Hack Attacks?Published by Acunetix, 2006. Retrieved April 11, 2009.
How Traditional Web Applications Works Published by Java Jazz Up, April 2008. Retrieved April 11, 2009.
How Ajax Works Published by Java Jazz Up, April 2008. Retrieved April 11, 2009.
Ajax - Technical Introduction Published by Java Jazz Up, April 2008. Retrieved April 11, 2009.
Sullivan, Bryan Testing for Security in the Age of AJAX Programming 2006. Retrieved April 11, 2009.
Torab, Hazem. Web 2.0 Magazine: Sites using AJAXMarch 2007. Retrieved April 11, 2009.
Ajax - Technical Introduction Published by Java Jazz Up, April 2008. Retrieved April 11, 2009.
Hoffman, Billy and Sullivan, Bryan. AJAX Security. December 2007. Retrieved April 11, 2009.
Ajax - Technical Introduction Published by Java Jazz Up, April 2008. Retrieved April 11, 2009.
Cross Site Scripting - XSS - The Underestimated ExploitPublished by Acunetix, 2008. Retrieved April 11, 2009.
Hoffman, Billy and Sullivan, Bryan. AJAX Security. December 2007. Retrieved April 11, 2009.

Images

How Ajax Works Published by Java Jazz Up, April 2008. Retrieved April 11, 2009.
How Ajax Works Published by Java Jazz Up, April 2008. Retrieved April 11, 2009.
Hoffman, Billy and Sullivan, Bryan. AJAX Security. December 2007. Retrieved April 11, 2009.
Hoffman, Billy and Sullivan, Bryan. AJAX Security. December 2007. Retrieved April 11, 2009.