Secure ASP.NET
Discovering the AJAX Flaws
By Don Kiely
I ve been thinking, reading, speaking, and writing a lot lately about the security threats that AJAX presents to Web sites that use it. You can read some of my thoughts in my previous asp.netNOW columns, but here is a quick summary. There really are no new vulnerabilities in AJAX because it is built on existing, well-understood, moderately insecure technologies. (Moderately insecure in that new security threats are discovered regularly that expose vulnerabilities.) What makes AJAX more insecure is that more processing is done on the client, there are more points of vulnerability (a larger attack surface), and it is new, so best practices are only now starting to be established.
Nevertheless, what is going on and what makes things insecure is largely hidden. Viewing a page s source can give you some insight into embedded JavaScript, and if you re really determined you can download the .js files referenced in src attributes. Trust me on this: that isn t how hackers do it, and you shouldn t either. So this month I want to recommend that you look at two tools that any Web developer will find useful for investigating their own sites and debugging them. And maybe you ll even find some hidden flaw in someone else s site (that you will, of course, immediately report to the Webmaster!). There are plenty of other Web site and security analysis tools out there, but learning these two is a great way to start.
The tools are Firebug for Firefox and Fiddler for Internet Explorer. They are quite different from each other, not competitors, giving you different ways of looking at a page or site. My objective here is not to fully review or evaluate these tools, but to give you enough information that you are highly motivated to install them and start seeing just how much information you can get about your Web site or any Web site that any user has access to. In many cases, you ll be scared bitless.
Best of all, both tools are free. What are you waiting for?
Firebug
Firebug is a must-have add-on for current versions of Mozilla Firefox. If you ve used Firefox for a while, you might be surprised that you need an add-on. The Developer toolbar built in to Firefox (View | Toolbars | Web Developer Toolbar) provides a wealth of information about the current page, including a very nice aggregated view of all the JavaScript used by the page, whether it is embedded in the page or in a .js file on the server, including virtual JavaScript files generated by server software like ASP.NET.
But Firebug goes well beyond the developer toolbar to let you edit, debug, and monitor CSS, HTML, and JavaScript live in any web page, to quote from the tool s home page. I ll let you read about all the rather amazing features on the tool s site, including some of my favorite features that help resolve problems with CSS in a page (that one feature has saved my professional career more than once!).
The juicy stuff when it comes to AJAX is the support for executing, viewing, and debugging JavaScript on the fly. Firebug provides what amounts to a JavaScript debugger that lets you dig deep into all those Web service calls made on an AJAX page. Sometimes the calls are buried deep in external files, such as the virtual .axd files in ASP.NET AJAX, but with Firebug you can do a good job of discovering how the page works as a whole. And once you poke around what is actually happening at run time with any AJAX framework, you quickly get better at getting past the standard, built-in stuff to find the custom logic.
If the great set of features doesn t convince you to install Firebug, consider this: The more you read about AJAX exploits, the more likely you ll start finding that more often than not the person who discovered the exploit found it while dinking around the site using Firebug. Check out and install Firebug from http://www.getfirebug.com/.
Fiddler
Fiddler is an unsupported Microsoft product. It is a Web debugging proxy, which is fancy talk for a tool that lets you peek in on the conversations between a browser and the server. But more than that, it lets you set breakpoints and even modify the requests sent to the server. (Thus the name: you can fiddle with the traffic.) The scripting subsystem lets you extend the tool using any .NET language. It essentially brings into the browser what you used to have to use a separate sniffer for, and is focused on HTTP traffic rather than all network traffic and noise.
A debugging proxy sits between the browser on the client and the Web server. More accurately, it sits between the WinINET API which the browser uses to access the Internet and the Web server, capturing and processing, as well as modifying, what comes through. The Fiddler UI presents a slew of views into the traffic, providing insight into everything the browser is doing. You can look at the images on the page, get performance statistics for the actual traffic (as well estimates of what the delay would be at points around the world), the actual HTTP request and response headers and full packets (displayed in a variety of formats), generate custom responses, build requests, and set filters on the traffic. It s amazing what the folks at Microsoft built in to the product.
In a way completely different from Firebug, this high-level view of the actual traffic between a browser and server for an AJAX-enabled page can be quite enlightening. For one, you quickly get a feel for just how chatty an AJAX page is, with numerous requests and responses bouncing back and forth. One of many nice things about Fiddler is that it lets you filter the traffic so you can focus on what you find most interesting or important. This is a great way to discover how AJAX makes a Web application attack surface much larger.
You can find Fiddler at http://www.fiddlertool.com. Make sure you get the latest version, Fiddler 2 for use with .NET 2.0. The older version 1.3 remains available if you simply must use .NET 1.1.
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.
