Ajax Security

Ajax Security

1. Introduction:-

There is the general misconception that in AJAX applications are more secure because it is thought that a user cannot access the server-side script without the rendered user interface (the AJAX based webpage). XML HTTP Request based web applications obscure server-side scripts, and this obscurity gives website developers and owners a false sense of security – obscurity is not security. Since XML HTTP requests function by using the same protocol as all else on the web (HTTP), technically speaking, AJAX-based web applications are vulnerable to the same hacking methodologies as ‘normal’ applications.

Subsequently, there is an increase in session management vulnerabilities and a greater risk of hackers gaining access to the many hidden URLs which are necessary for AJAX requests to be processed.

Another weakness of AJAX is the process that formulates server requests. The Ajax engine uses JS to capture the user commands and to transform them into function calls. Such function calls are sent in plain visible text to the server and may easily reveal database table fields such as valid product and user IDs, or even important variable names, valid data types or ranges, and any other parameters which may be manipulated by a hacker.

With this information, a hacker can easily use AJAX functions without the intended interface by crafting specific HTTP requests directly to the server. In case of cross-site scripting, maliciously injected scripts can actually leverage the AJAX provided functionalities to act on behalf of the user thereby tricking the user with the ultimate aim of redirecting his browsing session (e.g., phishing) or monitoring his traffic


2. What Can Attacker Do:-

1. Once it gets a foothold, it can obtain all of the scripts it needs.
2. An attacker can make requests of your server. Your server cannot detect that the request did not originate with your application.
3. The attacker can see everything the user sees.
4. An attacker has control over the display and can request information from the user.
5. Shares many principles with normal web application security
6. AJAX increases an application’s attack surface

3. Example:-

Bad text
" + alert("XSS") + "

Bad encoding
{"json": "" + alert("XSS") + ""}

Good encoding
{"json": "\" + alert(\"XSS\") + \""}

4. Prevention:-

1. Use good encoders. json.org/json2.js
2. Do not use simple concatenation.
3. Never trust the browser.
4. Validate all input.