Secure ASP.NET
Magnifying Security Vulnerabilities through AJAX
By Don Kiely
AJAX is one of the primary technologies of Web 2.0, and it already is making the Web as rich an experience as desktop applications. But it also introduces new opportunities for attackers because of the way it exposes more inputs and internal functions of the Web server. It can also amplify cross-site scripting attacks. New cool AJAX applications are often implemented with too little concern for security.
Let s cut to the chase: AJAX is not secure! It s insecure! It s nasty in how insecure it is!
That s all you really need to know. Well, no, okay, that s not the end of the story. What s interesting about AJAX is that, while it can be inherently insecure, there are no new vulnerabilities! After all, AJAX is just a lot of JavaScript a whole lot! and some data going back and forth. (The data once was XML, sort of, but the X in AJAX doesn t really apply universally anymore, if it ever did.) All traveling over HTTP, often using the XmlHTTPRequest object. What s new about that? Not much, other than a slightly different way of thinking about applications.
What AJAX does that makes it such a potential security problem is to take all the security vulnerabilities of its component parts JavaScript, HTTP, the browser, HTML, everything else and magnify them a hundred-fold.
Here s the deal. There are two basic things going on that make AJAX far less secure than an equivalent Web page. First, it is built on components that have their own insecurities. The existing vulnerabilities of individual components are relatively well known, and new vulnerabilities appear at a rate no worse than any other software component. Second, the typical AJAX-ified Web page performs scores more interactions with the server than a typical Web page. Sure, the typical page is downloading a bunch of images and a few other resources, but so is the AJAX page.
All those additional interactions increase the attack surface, security-speak for presenting an attacker with more nooks and crannies to probe for weaknesses. If your site has not one entry point but dozens, consisting of Web services, AJAX calls, and various other interaction points, can you really be sure that they are all secure? And it s not just the security of the individual services. Are you sure that once an attacker inventories all those potential attack points, he or she won t skip the uninteresting ones and go straight for the juicy stuff? Maybe bypass the authentication stuff and go straight to the credit cards you have stored to make your customers shopping experiences simpler.
There are all kinds of dangers in AJAX applications. In the months to come, I ll explore various aspects of AJAX insecurity, how the architecture leads to problems as processing moves from the server to the client, and how the confusion of the control and data channels a classic security problem makes possible many AJAX and Web problems. But if you just can t wait for these future columns, you can check out the references below. These are some of the most interesting AJAX security resources I ve found lately, along with the rather simple Google search that gives a lifetime s worth of reading on the topic.
Some interesting AJAX security references:
- AJAX Security Webcasts by Microsoft s Joe Stagner and researchers from SPI Dynamics. Covers the top threats and attacks, with interesting analysis of Samy and Yamanner worms.
- Ajax Security Dangers from SPI Dynamics. A bit high-level, but a good introduction.
- Secure ASP.NET AJAX Development by Jason Schmitt. Addison-Wesley (Digital Short Cut e-book).
- AJAX Security by Billy Hoffman and Bryan Sullivan. Coming in December 2007 (but has been oft-delayed).
- Google search for AJAX security. Bajillions of resources (43,800,000 as of late November 2007).
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.
