Although a most powerful
set of technologies, developers must be aware of the potential security
holes and breeches to which AJAX applications have (and will) become
vulnerable.
According to Pete Lindstrom, Director of Security Strategies with
the Hurwitz Group, Web applications are the most vulnerable elements of
an organization’s IT infrastructure today. An increasing number of
organizations (both for-profit and not-for-profit) depend on
Internet-based applications that leverage the power of AJAX. As this
group of technologies becomes more complex to allow the depth and
functionality discussed, and, if organizations do not secure their web
applications, then security risks will only increase.
Increased interactivity within a web application means an increase
of XML, text, and general HTML network traffic. This leads to exposing
back-end applications which might have not been previously vulnerable,
or, if there is insufficient server-side protection, to giving
unauthenticated users the possibility of manipulating their privilege
configurations.
There is the general misconception that in AJAX applications are
more secure because it is thought that a user cannot access the
server-side script without the rendered user interface (the AJAX based
webpage). XML HTTP Request based web applications obscure server-side
scripts, and this obscurity gives website developers and owners a false
sense of security – obscurity is not security. Since XML HTTP requests
function by using the same protocol as all else on the web (HTTP),
technically speaking, AJAX-based web applications are vulnerable to the
same hacking methodologies as ‘normal’ applications.
Subsequently, there is an increase in session management
vulnerabilities and a greater risk of hackers gaining access to the
many hidden URLs which are necessary for AJAX requests to be processed.
Another weakness of AJAX is the process that formulates server
requests. The Ajax engine uses JS to capture the user commands and to
transform them into function calls. Such function calls are sent in
plain visible text to the server and may easily reveal database table
fields such as valid product and user IDs, or even important variable
names, valid data types or ranges, and any other parameters which may
be manipulated by a hacker.
With this information, a hacker can easily use AJAX functions
without the intended interface by crafting specific HTTP requests
directly to the server. In case of cross-site scripting, maliciously
injected scripts can actually leverage the AJAX provided
functionalities to act on behalf of the user thereby tricking the user
with the ultimate aim of redirecting his browsing session (e.g.,
phishing) or monitoring his traffic.
JavaScript Vulnerabilities
Although
many websites attribute their interactive features to JS, the
widespread use of such technology brings about several grave security
concerns.
In the past, most of these security issues arose from worms either targeting mailing systems or exploiting Cross Site Scripting (XSS)
weaknesses of vulnerable websites. Such self-propagating worms enabled
code to be injected into websites with the aim of being parsed and/or
executed by Web browsers or e-mail clients to manipulate or simply
retrieve user data.
As web-browsers and their technological capabilities continue to
evolve, so does malicious use reinforcing the old and creating new
security concerns related to JS and AJAX. This technological
advancement is also occurring at a time when there is a significant
shift in the ultimate goal of the hacker whose primary goal has changed
from acts of vandalism (e.g., website defacement) to theft of corporate
data (e.g., customer credit card details) that yield lucrative returns
on the black market.
XSS worms will become increasingly intelligent and highly capable of
carrying out dilapidating attacks such as widespread network denial of
service attacks, spamming and mail attacks, and rampant browser
exploits. It has also been recently discovered that it is possible to
use JS to map domestic and corporate networks, which instantly makes
any devices on the network (print servers, routers, storage devices)
vulnerable to attacks.
Ultimately such sophisticated attacks could lead to pinpointing
specific network assets to embed malicious JS within a webpage on the
corporate intranet, or any AJAX application available for public use
and returning data.
The problem to date is that most web scanning tools available
encounter serious problems auditing web pages with embedded JS. For
example, client-side JS require a great degree of manual intervention
(rather than automation).
Summary and Conclusions
The evolution of web
technologies is heading in a direction which allows web applications to
be increasingly efficient, responsive and interactive. Such progress,
however, also increases the threats which businesses and web developers
face on a daily basis.
With public ports 80 (HTTP) and 443 (HTTPS) always open to allow
dynamic content delivery and exchange, websites are at a constant risk
to data theft and defacement, unless they are audited regularly with a
reliable web application scanner. As the complexity of technology increases, website weaknesses become more evident and vulnerabilities more grave.
The advent of AJAX applications has raised considerable security
issues due to a broadened threat window brought about by the very same
technologies and complexities developed. With an increase in script
execution and information exchanged in server/client requests and
responses, hackers have greater opportunity to steal data thereby
costing organizations thousands of dollars in lost revenue, severe
fines, diminished customer trust and substantial damage to your
organization's reputation and credibility.
The only solution for effective and efficient security auditing is a
vulnerability scanner which automates the crawling of websites to
identify weaknesses. However, without an engine that parses and
executes JavaScript, such crawling is inaccurate and gives website
owners a false sense of security. Read about the JavaScript engine of Acunetix.
http://www.acunetix.com/websitesecurity/ajax.htm
0 comments:
Post a Comment