Sunday, November 25, 2007

AJAX Vulnerabilities

Although a most powerful
set of technologies, developers must be aware of the potential security
holes and breeches to which AJAX applications have (and will) become
vulnerable.

According to Pete Lindstrom, Director of Security Strategies with
the Hurwitz Group, Web applications are the most vulnerable elements of
an organization’s IT infrastructure today. An increasing number of
organizations (both for-profit and not-for-profit) depend on
Internet-based applications that leverage the power of AJAX. As this
group of technologies becomes more complex to allow the depth and
functionality discussed, and, if organizations do not secure their web
applications, then security risks will only increase.

Increased interactivity within a web application means an increase
of XML, text, and general HTML network traffic. This leads to exposing
back-end applications which might have not been previously vulnerable,
or, if there is insufficient server-side protection, to giving
unauthenticated users the possibility of manipulating their privilege
configurations.

There is the general misconception that in AJAX applications are
more secure because it is thought that a user cannot access the
server-side script without the rendered user interface (the AJAX based
webpage). XML HTTP Request based web applications obscure server-side
scripts, and this obscurity gives website developers and owners a false
sense of security – obscurity is not security. Since XML HTTP requests
function by using the same protocol as all else on the web (HTTP),
technically speaking, AJAX-based web applications are vulnerable to the
same hacking methodologies as ‘normal’ applications.

Subsequently, there is an increase in session management
vulnerabilities and a greater risk of hackers gaining access to the
many hidden URLs which are necessary for AJAX requests to be processed.

Another weakness of AJAX is the process that formulates server
requests. The Ajax engine uses JS to capture the user commands and to
transform them into function calls. Such function calls are sent in
plain visible text to the server and may easily reveal database table
fields such as valid product and user IDs, or even important variable
names, valid data types or ranges, and any other parameters which may
be manipulated by a hacker.

With this information, a hacker can easily use AJAX functions
without the intended interface by crafting specific HTTP requests
directly to the server. In case of cross-site scripting, maliciously
injected scripts can actually leverage the AJAX provided
functionalities to act on behalf of the user thereby tricking the user
with the ultimate aim of redirecting his browsing session (e.g.,
phishing) or monitoring his traffic.

JavaScript Vulnerabilities
Although
many websites attribute their interactive features to JS, the
widespread use of such technology brings about several grave security
concerns.

In the past, most of these security issues arose from worms either targeting mailing systems or exploiting Cross Site Scripting (XSS)
weaknesses of vulnerable websites. Such self-propagating worms enabled
code to be injected into websites with the aim of being parsed and/or
executed by Web browsers or e-mail clients to manipulate or simply
retrieve user data.

As web-browsers and their technological capabilities continue to
evolve, so does malicious use reinforcing the old and creating new
security concerns related to JS and AJAX. This technological
advancement is also occurring at a time when there is a significant
shift in the ultimate goal of the hacker whose primary goal has changed
from acts of vandalism (e.g., website defacement) to theft of corporate
data (e.g., customer credit card details) that yield lucrative returns
on the black market.

XSS worms will become increasingly intelligent and highly capable of
carrying out dilapidating attacks such as widespread network denial of
service attacks, spamming and mail attacks, and rampant browser
exploits. It has also been recently discovered that it is possible to
use JS to map domestic and corporate networks, which instantly makes
any devices on the network (print servers, routers, storage devices)
vulnerable to attacks.

Ultimately such sophisticated attacks could lead to pinpointing
specific network assets to embed malicious JS within a webpage on the
corporate intranet, or any AJAX application available for public use
and returning data.

The problem to date is that most web scanning tools available
encounter serious problems auditing web pages with embedded JS. For
example, client-side JS require a great degree of manual intervention
(rather than automation).

Summary and Conclusions
The evolution of web
technologies is heading in a direction which allows web applications to
be increasingly efficient, responsive and interactive. Such progress,
however, also increases the threats which businesses and web developers
face on a daily basis.

With public ports 80 (HTTP) and 443 (HTTPS) always open to allow
dynamic content delivery and exchange, websites are at a constant risk
to data theft and defacement, unless they are audited regularly with a
reliable web application scanner. As the complexity of technology increases, website weaknesses become more evident and vulnerabilities more grave.

The advent of AJAX applications has raised considerable security
issues due to a broadened threat window brought about by the very same
technologies and complexities developed. With an increase in script
execution and information exchanged in server/client requests and
responses, hackers have greater opportunity to steal data thereby
costing organizations thousands of dollars in lost revenue, severe
fines, diminished customer trust and substantial damage to your
organization's reputation and credibility.

The only solution for effective and efficient security auditing is a
vulnerability scanner which automates the crawling of websites to
identify weaknesses. However, without an engine that parses and
executes JavaScript, such crawling is inaccurate and gives website
owners a false sense of security. Read about the JavaScript engine of Acunetix.
http://www.acunetix.com/websitesecurity/ajax.htm

DOM Based Cross Site Scripting

We all know what Cross Site Scripting (XSS) is, right? It's that 
vulnerability wherein one sends malicious data (typically HTML stuff
with Javascript code in it) that is echoed back later by the 
application in an HTML context of some sort, and the Javascript code
gets executed. Well, wrong. There's a kind of XSS which does not 
match this description, at least not in some fundamental properties.
The XSS attacks described above are either "non-persistent"/
"reflected" (i.e. the malicious data is embedded in the page that is
returned to the browser immediately following the request) or 
"persistent"/"stored" (in which case the malicious data is returned
at some later time). But there's also a third kind of XSS attacks -
the ones that do not rely on sending the malicious data to the 
server in the first place! While this seems almost contradictory to
the definition or to common sense, there are, in fact, two well 
described examples for such attacks. This technical note discusses
the third kind of XSS, dubbed "DOM Based XSS". No claim is made to
novelty in the attacks themselves, of course, but rather, the 
innovation in this write-up is about noticing that these belong to a
different flavor, and that flavor is interesting and important. 

Application developers and owners need to understand DOM Based XSS,
as it represents a threat to the web application, which has 
different preconditions than standard XSS. As such, there are many 
web applications on the Internet that are vulnerable to DOM Based 
XSS, yet when tested for (standard) XSS, are demonstrated to be "not
vulnerable". Developers and site maintainers (and auditors) need to 
familiarize themselves with techniques to detect DOM Based XSS 
vulnerabilities, as well as with techniques to defend against them, 
both therewhich are different than the ones applicable for standard 
XSS. [Contineu]

RSS Feed Injection : Risk of Both

Web Reader Risks
People typically use browsers or local clients to subscribe to a Web-based
feed. They are affected by both local and remote zone issues depending on
the application's implementation. Online sites such as bloglines.com or
Google provide Web-based feed viewers and fall into the remote zone risk
category. Vulnerabilities in Web-based viewers grant attackers access to the
site's zone (allowing cookie theft) and to common abilities often available for
Cross-Site Scripting attacks.

Web Site Risks
The potential impact of a feed-based attack increases significantly when the
feed being controlled is syndicated on other Web sites. For example, if an
attacker-controlled feed was created on Site A and implemented on Site B,
its content would be included in Site B's content. If Site B were also
vulnerable to a Web feed attack, the attacker could then access Site B's
remote zone and users. In some cases an attacker-controlled feed is included
in feeds to other sites and also to users who in turn pass it elsewhere, rapidly
expanding the base of possible victims.

Definitive of DOM

Perhaps the most important piece of the DHTML puzzle is a specification for the
Document Object Model. I assign more weight to the DOM than to, say, CSS-P,
because it is the definition of a standard DOM that scripters will rely on for crossplatform
consistency in their scripts. An inconsistency among document object
models for Internet Explorer 3 and Navigator 3—particularly the lack of an Image
object in Internet Explorer 3—caused no little grief among scripters who
developed mouse rollover scripts in Navigator 3, only to have them cause script
errors for Internet Explorer 3 users.
Given the split evolution of document object models in Navigator and Internet
Explorer (especially with their divergence in level 4 versions), a recognized DOM
standard for scriptable objects will be difficult to achieve. The more each platform
has invested in the installed base of its existing document object model, the more
difficult it will be to reach a consensus, which may require rolling back features to
reach a scriptable common denominator.
Of all the standards efforts described in this chapter, the Document Object
Model is the least far along in its development. As of this writing, the most recent
document is the working draft of HTML-specific syntax. The W3C has assumed
responsibility for this standard. The earliest its results will reach browsers is
perhaps the level 5 versions of Navigator and Internet Explorer.

Book :Developer's Guide to Web Application Security

Book Description
Over 75% of network attacks are targeted at the web application layer. This book provides explicit hacks, tutorials, penetration tests, and step-by-step demonstrations for security professionals and Web application developers to defend their most vulnerable applications.

This book defines Web application security, why it should be addressed earlier in the lifecycle in development and quality assurance, and how it differs from other types of Internet security. Additionally, the book examines the procedures and technologies that are essential to developing, penetration testing and releasing a secure Web application. Through a review of recent Web application breaches, the book will expose the prolific methods hackers use to execute Web attacks using common vulnerabilities such as SQL Injection, Cross-Site Scripting and Buffer Overflows in the application layer. By taking an in-depth look at the techniques hackers use to exploit Web applications, readers will be better equipped to protect confidential.

The Yankee Group estimates the market for Web application-security products and services will grow to $1.74 billion by 2007 from $140 million in 2002

Author Matt Fisher is a highly sought after speaker who regularly delivers Web Application presentations at leading conferences including: Black Hat, TechnoSecurity, CanSec West, Shmoo Con, Information Security, RSA Conferences, and more

The Companion Web site will have downloadable code and scripts presented in the book

About the Author
Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet Specialist/Computer Forensic Analyst with the Niagara Regional Police Service (NRPS). He performs computer forensic examinations on computers involved in criminal investigation. He also has consulted and assisted in cases dealing with computer-related/Internet crimes. In addition to designing and maintaining the NRPS Web site at www.nrps.com and the NRPS intranet, he has provided support in the areas of programming, hardware, and network administration. As part of an information technology team that provides support to a user base of more than 800 civilian and uniform users, he has a theory that when the users carry guns, you tend to be more motivated in solving their problems.

Michael also owns KnightWare (www.knightware.ca), which provides computer-related services such as Web page design, and Bookworms (www.bookworms.ca), where you can purchase collectibles and other interesting items online. He has been a freelance writer for several years, and he has been published more than three dozen times in numerous books and anthologies. He currently resides in St. Catharines, Ontario, Canada, with his lovely wife, Jennifer, his darling daughter, Sara, and charming son, Jason.

Customer Review
By Richard Callaby (Bradenton, Florida)

With the increasing number of incidents of crime that is occurring on the world wide web it behooves every programmer to become fluent in all aspects of information security. This book provides a great overview of the various methods a hacker uses to penetrate various forms of web architectures. The author's goals it seems was to cover a broad subject by touching on all important aspects of securing a website.

Throughout the book a hacker mindset is presented and how to design your website to overcome the tools and tricks of the hacker. For instance in many of the chapters the manner of attack that a hacker would use to exploit a piece of technology is covered. Overall I believe this book to be a good introduction to the field of securing websites. Since security in of itself is such a broad subject and the Internet is also a broad subject it is unfair to expect one book to cover all aspects of a complex and dynamic environment

By Jason (Bozeman, MT USA)
When I came across this book on the O'Reilly website I was immediately interested, as web applications are becoming more and more prevalent. And other than thinking it covered methods of securing web applications I had no preconceived assumptions. My main aspiration for this book was to give me better awareness of security in the area of web applications and to provide me with some tools. After having read this book I can say that it has done both.

Each of the chapters in this book seem to follow a pattern of first defining the topic, second giving real world examples, and finally providing the reader with solutions. The book begins by providing a history of the hacking methodology and defining the various types of hacking. It was interesting to learn about some of the various hacks and hackers. For example, I had no idea Steve Jobs (Apple Computers) used to be a hacker.

In chapter two the author discusses what he calls a "Code Grinder", and how to not become or produce a code grinder. A code grinder is someone who works in a highly regulated environment where creativity is discouraged. I found it interesting that a code grinder environment typically produces more unsecure code then an environment that is open and promotes creativity.

Chapter three discusses the risks associated with mobile code. Chapter four covers vulnerable CGI scripts and introduces the reader to some tools such as Nikto and Web Hack Control Center to scan your website to find vulnerabilities. The author goes on to discuss the issues faced by the various CGI scripting languages, and then provides an outline of rules to writing secure CGI scripts.

Chapter five covers hacking techniques and tools. This section gets you into the mind of a hacker, what are their goals, how are those goals achieved and what tools do they use. In chapter six the topic is "Code Auditing and Reverse Engineering." This chapter I found exceptionally interesting and helpful. The author takes you through various types of vulnerabilities and with each weakness explains how it affects each of the more popular programming/scripting languages. And to take it a step further the author also provides the reader with the functions/methods for each programming/scripting language that are vulnerable to attack and then explains either how to use those functions securely or gives an alternative function/method that is more secure.

Chapters seven through ten cover securing code in specific languages; Java, XML, ActiveX, and ColdFusion. Chapter eleven discusses developing security enabled applications using such technologies as PGP, SSL, and PKI. Finally in chapter twelve the author wraps up the book by taking the reader through creating and working with a security plan.

CONCLUSION
--
I found this book to be interesting and a good read. I plan to make use of some of the tools it introduced in hardening applications I work with and develop. And as I mentioned before, the chapter on code auditing will be extremely useful to me in cleaning up existing apps and developing new ones. I liked this book and I would recommend it to anyone who is writing code.

Buy It

Book:Cross Site Scripting Attacks: Xss Exploits and Defense

Book Description
Cross Site Scripting Attacks starts by defining the terms and laying out the ground work. It assumes that the reader is familiar with basic web programming (HTML) and JavaScript. First it discusses the concepts, methodology, and technology that makes XSS a valid concern. It then moves into the various types of XSS attacks, how they are implemented, used, and abused. After XSS is thoroughly explored, the next part provides examples of XSS malware and demonstrates real cases where XSS is a dangerous risk that exposes internet users to remote access, sensitive data theft, and monetary losses. Finally, the book closes by examining the ways developers can avoid XSS vulnerabilities in their web applications, and how users can avoid becoming a victim. The audience is web developers, security practitioners, and managers.

*XSS Vulnerabilities exist in 8 out of 10 Web sites
*The authors of this book are the undisputed industry leading authorities
*Contains independent, bleeding edge research, code listings and exploits that can not be found anywhere else

Customers Review
By Richard Bejtlich "TaoSecurity.com" (Washington, DC)
XSS Attacks earns 4 stars for being the first book devoted to Cross Site Scripting and for rounding up multiple experts on the topic. The authors are synonymous with attacking Web applications and regularly share their vast expertise via their blogs and tools. However, XSS Attacks suffers the same problems found whenever Syngress rushes a book to print -- nonexistent editing and uneven content. I found XSS Attacks to be highly enlightening, but I expect a few other books on the topic arriving later this year could be better.

First, as Tadaka mentioned, ch 3 is the best written part of the book. In fact, the author of ch 3 should have written the entire book. There is a difference between an author of a tool, an author of a blog, and an author of a book. The author of ch 3 clearly knows how to make a clear argument over the course of a long stretch of pages (over 90) and carry the reader. Lucky for non-book-buyers, Syngress posted ch 3 for free on their Web site. You'll get a great foundation on XSS, and learn about CSRF and backdooring Flash and Quicktime.

In terms of readability, ch 2 wasn't bad. I liked trying out various Firefox extensions and the author's examples were good. I think ch 1 should be completely dropped. It mentions terms not defined until ch 2. The language is exceptionally rough, indicating zero editing was done. The DNS pinning examples in ch 5 were confusing; it doesn't help novice readers to discuss [...] and then use [...]. (I think that's an error.) I really didn't get as much from the book past ch 3 as I did from ch 3.

The major take-away from XSS Attacks is that one should never trust clients. Furthermore, far too many vulnerable capabilities exist in applications most people would never dream of fearing, like those that render .pdf or .swf. I really liked the point that browsers constantly interpret and "fix" broken HTML, sometimes to the detriment of the security world. I also liked reading how users can be duped by attacks against the integrity of data, such as adding or removing details of Web sites.

Right now, if you want to learn more about recent XSS attacks in printed form, this book is your main option. Last year I favorably reviewed Lance James' book, Phishing Exposed, which includes some of these techniques. Later this year one of the other book reviewers, Dafydd Stuttard, should be publishing The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws. Syngress claims to be publishing Web Application Vulnerabilities: Detect, Exploit, Prevent by Steven Palmer in the fall. Hacking Exposed Web 2.0 by Himanshu Dwivedi is another option, but I find his security books to be poorly written. I highly recommend visiting the authors' blogs, since they cover a lot of the information in XSS Attacks.
Buy It

Book :Securing Ajax Applications: Ensuring the Safety of the Dynamic Web

Book :Securing Ajax Applications: Ensuring the Safety of the Dynamic Web

Book Description
Ajax applications should be open yet secure. Far too often security is added as an afterthought. Potential flaws need to be identified and addressed right away. This book explores Ajax and web application security with an eye for dangerous gaps and offers ways that you can plug them before they become a problem. By making security part of the process from the start, you will learn how to build secure Ajax applications and discover how to respond quickly when attacks occur.

Securing Ajax Applications succinctly explains that the same back-and-forth communications that make Ajax so responsive also gives invaders new opportunities to gather data, make creative new requests of your server, and interfere with the communications between you and your customers. This book presents basic security techniques and examines vulnerabilities with JavaScript, XML, JSON, Flash, and other technologies -- vital information that will ultimately save you time and money.

Topics include:

* An overview of the evolving web platform, including APIs, feeds, web services and asynchronous messaging
* Web security basics, including common vulnerabilities, common cures, state management and session management
* How to secure web technologies, such as Ajax, JavaScript, Java applets, Active X controls, plug-ins, Flash and Flex
* How to protect your server, including front-line defense, dealing with application servers, PHP and scripting
* Vulnerabilities among web standards such as HTTP, XML, JSON, RSS, ATOM, REST, and XDOS
* How to secure web services, build secure APIs, and make open mashups secure

Securing Ajax Applications takes on the challenges created by this new generation of web development, and demonstrates why web security isn't just for administrators and back-end programmers any more. It's also for web developers who accept the responsibility that comes with using the new wonders of the Web.
Buy It

What is Cross Site Scripting?

Cross site scripting (also known as XSS) occurs when a web application gathers malicious
data from a user. The data is usually gathered in the form of a hyperlink which contains malicious
content within it. The user will most likely click on this link from another website, instant message,
or simply just reading a web board or email message. Usually the attacker will encode the
malicious portion of the link to the site in HEX (or other encoding methods) so the request is less
suspicious looking to the user when clicked on. After the data is collected by the web application,
it creates an output page for the user containing the malicious data that was originally sent to it,
but in a manner to make it appear as valid content from the website. Many popular guestbook and forum
programs allow users to submit posts with html and javascript embedded in them. If for example I
was logged in as "john" and read a message by "joe" that contained malicious javascript in it, then
it may be possible for "joe" to hijack my session just by reading his bulletin board post. Further
details on how attacks like this are accomplished via "cookie theft" are explained in detail below.
Source