Discovering the AJAX Flaws
By Don Kiely
I ve been thinking, reading, speaking, and writing a lot lately about the security threats that AJAX presents to Web sites that use it. You can read some of my thoughts in my previous asp.netNOW columns, but here is a quick summary. There really are no new vulnerabilities in AJAX because it is built on existing, well-understood, moderately insecure technologies. (Moderately insecure in that new security threats are discovered regularly that expose vulnerabilities.) What makes AJAX more insecure is that more processing is done on the client, there are more points of vulnerability (a larger attack surface), and it is new, so best practices are only now starting to be established.
The tools are Firebug for Firefox and Fiddler for Internet Explorer. They are quite different from each other, not competitors, giving you different ways of looking at a page or site. My objective here is not to fully review or evaluate these tools, but to give you enough information that you are highly motivated to install them and start seeing just how much information you can get about your Web site or any Web site that any user has access to. In many cases, you ll be scared bitless.
Best of all, both tools are free. What are you waiting for?
If the great set of features doesn t convince you to install Firebug, consider this: The more you read about AJAX exploits, the more likely you ll start finding that more often than not the person who discovered the exploit found it while dinking around the site using Firebug. Check out and install Firebug from http://www.getfirebug.com/.
Fiddler is an unsupported Microsoft product. It is a Web debugging proxy, which is fancy talk for a tool that lets you peek in on the conversations between a browser and the server. But more than that, it lets you set breakpoints and even modify the requests sent to the server. (Thus the name: you can fiddle with the traffic.) The scripting subsystem lets you extend the tool using any .NET language. It essentially brings into the browser what you used to have to use a separate sniffer for, and is focused on HTTP traffic rather than all network traffic and noise.
A debugging proxy sits between the browser on the client and the Web server. More accurately, it sits between the WinINET API which the browser uses to access the Internet and the Web server, capturing and processing, as well as modifying, what comes through. The Fiddler UI presents a slew of views into the traffic, providing insight into everything the browser is doing. You can look at the images on the page, get performance statistics for the actual traffic (as well estimates of what the delay would be at points around the world), the actual HTTP request and response headers and full packets (displayed in a variety of formats), generate custom responses, build requests, and set filters on the traffic. It s amazing what the folks at Microsoft built in to the product.
In a way completely different from Firebug, this high-level view of the actual traffic between a browser and server for an AJAX-enabled page can be quite enlightening. For one, you quickly get a feel for just how chatty an AJAX page is, with numerous requests and responses bouncing back and forth. One of many nice things about Fiddler is that it lets you filter the traffic so you can focus on what you find most interesting or important. This is a great way to discover how AJAX makes a Web application attack surface much larger.
You can find Fiddler at http://www.fiddlertool.com. Make sure you get the latest version, Fiddler 2 for use with .NET 2.0. The older version 1.3 remains available if you simply must use .NET 1.1.
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:d[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.