Magnifying Security Vulnerabilities through AJAX

Secure ASP.NET

Magnifying Security Vulnerabilities through AJAX

By Don Kiely

AJAX is one ofthe primary technologies of Web 2.0, and it already is making the Web as richan experience as desktop applications. But it also introduces new opportunitiesfor attackers because of the way it exposes more inputs and internal functionsof the Web server. It can also amplify cross-site scripting attacks. New coolAJAX applications are oftenimplemented with too little concern for security.

Let s cut to the chase: AJAXis not secure! It s insecure! It s nasty in how insecure it is!

That s all you really need to know. Well, no, okay, that snot the end of the story. What s interesting about AJAXis that, while it can be inherently insecure, there are no new vulnerabilities!After all, AJAX is just a lot ofJavaScript a whole lot! and some data going backand forth. (The data once was XML, sort of, but the X in AJAXdoesn t really apply universally anymore, if it ever did.) Alltraveling over HTTP, often using the XmlHTTPRequest object. What s newabout that? Not much, other than a slightly different way of thinking aboutapplications.

What AJAX does that makes it such a potential securityproblem is to take all the security vulnerabilities of its component parts JavaScript,HTTP, the browser, HTML, everything else and magnify them a hundred-fold.

Here s the deal. There are two basic things going on thatmake AJAX far less secure than anequivalent Web page. First, it is built on components that have their owninsecurities. The existing vulnerabilities of individual components arerelatively well known, and new vulnerabilities appear at a rate no worse thanany other software component. Second, the typical AJAX-ified Web page performsscores more interactions with the server than a typical Web page. Sure, thetypical page is downloading a bunch of images and a few other resources, but sois the AJAX page.

All those additional interactions increase the attacksurface, security-speak for presenting an attacker with more nooks and cranniesto probe for weaknesses. If your site has not one entry point but dozens,consisting of Web services, AJAXcalls, and various other interaction points, can you really be sure that theyare all secure? And it s not just the security of the individual services. Areyou sure that once an attacker inventories all those potential attack points,he or she won t skip the uninteresting ones and go straight for the juicystuff? Maybe bypass the authentication stuff and go straight to the creditcards you have stored to make your customers shopping experiences simpler.

There are all kinds of dangers in AJAXapplications. In the months to come, I ll explore various aspects of AJAXinsecurity, how the architecture leads to problems as processing moves from theserver to the client, and how the confusion of the control and data channels aclassic security problem makes possible many AJAX and Web problems. But ifyou just can t wait for these future columns, you can check out the referencesbelow. These are some of the most interesting AJAXsecurity resources I ve found lately, along with the rather simple Googlesearch that gives a lifetime s worth of reading on the topic.

Some interesting AJAXsecurity references:

DonKiely, MVP, MCSD, is a senior technology consultant, building customapplications as well as providing business and technology consulting services.His development work involves tools such as SQL Server, Visual Basic, C#,ASP.NET, and Microsoft Office. He writes regularly for several trade journals,and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected]and read his blog at http://www.sqljunkies.com/weblog/donkiely/.