DCSIMG
AJAX is not secure - Manu Cohen-Yashar's Blog

Manu Cohen-Yashar's Blog

AJAX is not secure

AJAX is the new Hot technology concerning web application. It allows the client to do much more than it used to and to achieve a much better user experience.

AJAX is based on XmlHttpRequests that the browser creates while the page is presented on the browser. The client does not know that under the cover so many requests are being sent. Ajax is a java script technology running mostly on the client side and on the server the following question arises: will the average AJAX-enabled web-application be able to tell the difference between a real and a faked XmlHttpRequest?

The answer is NO. AJAX is a client side technology and we all know that the client should not be trusted.

This makes AJAX a much more difficult technology to protect. We all know how difficult is to bring application security to traditional server application. For AJAX it is double the effort.

AJAX is advancing rapidly and new frameworks are introduced frequently but none can secure the AJAX application in a reasonable manner.

From a business and an architectural point of view unfortunately today we have to make a tradeoff. Security versus User Experience.

Proper design can use AJAX in a sandbox. This means less sensitive areas of the application can enjoy AJAX but around the sensitive business and information an "AJAX Firewall" is built. For example there will be no AJAX enabled Web Service that exposes sensitive information.

If you do need to implement some AJAX remember that AJAX enables new XSS capabilities and so server validation must be much more strict. Not only the body of the http packet must be validated but all of its headers. Never trust a third party. AJAX applications fetch information from various untrusted sources such as feeds, blogs, search results. If this content is never validated prior to being served to the end browser, it can lead to dangerous cross-site exploitation.

With AJAX, a lot of the logic is shifting to the client-side.

This may expose the entire application to some serious threats.

The urge for data integration from multiple parties and untrusted sources can increase the overall risk factor as well: XSS, XSRF, cross-domain issues and serialization on the client-side and insecure Web services, XML-RPC and REST access on the server-side.

Conversely, Ajax can be used to build graceful applications with seamless data integration.

However, one insecure call or information stream can backfire and end up opening up an exploitable security hole.

These new technology vectors are promising and exciting to many, but even more interesting to attack, virus and worm writers.

To stay secure, first answer the question is AJAX really needed? Then make sure it lives in a sandbox and third make sure your developers are paying attention to implementation details and taking security into consideration.

Posted: Sep 13 2009, 08:03 AM by Manu Cohen-Yashar | with 6 comment(s)

Comments

Doron Ben-David said:

אני לא מסכים איתך בהמון רמות.

אולי מספיק בשביל לכתוב פוסט שלם בנושא...

אם AJAX לא מספיק בטוח לטענותיך, כך גם כל עמוד HTMLי אחר.

את הבעיה אתה צריך לחלק לשתיים:

1. צד השרת - עליו אתה צריך להגן, בלי קשר לAJAX. אין הבדל מבחינת השרת בין שאילתא סינכרונית לשאילתא אסינכרונית.

מתודולוגית פיתוח נכונה גורסת שאין כזה דבר קלט תקין, ולכן תמיד צריכים לבדוק מה שמגיע.

2. צד הלקוח - שם אתה צריך להערך מראש לקלט מהשרת, ולדעת לנקות אחריך ולקבל עדכונים. אם הפלט של השרת "זדוני", אז כן - אפשר להזריק ללקוח דברים שאתה לא רוצה. מאידך, מה מונע מפלט של סתם ASPX להיות זדוני באותה מידה?

גם כאן אגב, אותה הערה מהסעיף הקודם - גם בצד הלקוח, תמיד תבדוק תקינות מה שקיבלת.

לגבי מה שכתבת על מקורות המידע - פשוט לא נכון. ראשית, AJAX לא מאפשר מעבר בין דומיינים (ובגרסאות חדשות של IE8 וFF3, כל מני "פרצות" מתחכמות נסגרו). ז"א - אתה צריך לספק מהשרת שלך עצמו את התוכן.

אני אולי אכתוב פוסט וארחיב על הנושא, אבל בינתיים... רציתי להבהיר שאני לחלוטין לא מסכים עם מה שנכתב כאן.

# September 13, 2009 10:50 AM

Bill said:

How is ajax any less secure than ANY web technology, including ASP.NET on its own?  I don't understand this article as "not trusting the client" is a tenet of any web application, not just "ajax" ones.

Are you saying that, somehow, using a web app without ajax is more secure than using one with ajax?  If so you are greatly mistaken.

# September 14, 2009 9:19 AM

Fernando said:

such a load of... well, lets settle on uninformative and misleading items.

ajax, just like any other browser-based technology including good 'ole html apps, is as secure as you make it. it's not less secure than "normal" html pages, nor is more secure, for that matter. it's all in the hands of you, the designer.

and do allow me to comment on the specifics...

"... Ajax is a java script technology running mostly on the client side and on the server the following question arises: will the average AJAX-enabled web-application be able to tell the difference between a real and a faked XmlHttpRequest?

The answer is NO. AJAX is a client side technology and we all know that the client should not be trusted."

not true. first, you can always put your ajax page behind a secure location protected by password. that way, you'll have to authenticate for the ajax services which means non0authenticated users won't be able to consume your ajax services.

"If you do need to implement some AJAX remember that AJAX enables new XXS capabilities..."

well, actually it does not. xss (cross site scripting) is a thread whenever you trust 3rd party execution and/or when you don't validate inputs, whether by ajax or otherwise. using ajax techniques does not increase nor decreases the threat.

"AJAX is advancing rapidly and new frameworks are introduced frequently but none can secure the AJAX application in a reasonable manner."

whoa, dude, that is just plain wrong.

first, there are heaps of ajax web apps dealing with highly sensitive information in an extreme secure manner. my online banking app is ajax based and is brilliantly secure. if you just follow security best practices, i'm convinced your ajax app will be pretty secure and you'll be able to provide brilliant ux (user experience) in a highly secure manner. and the good thing, if you're in microsoft world, you'll even get some libraries and tools to facilitate that.

i could go on and on, but i think you got the idea: ajax is as secure as you make it. you can make it go awfully wrong and you'll be exposed to countless of threats, but the same goes for any other web-based technology. on the other  hand, you can make ajax extremely secure without compromising on user interface / experience.

ta,

f

# September 14, 2009 9:58 AM

Manu Cohen-Yashar said:

I am happy to get all the above remarks. I do agree that an application is as secure as you make it. The question is how easy it is to make it secure.

If we look at average normal server applications (which are much easier to secure than an AJAX application) we can see that the security situation is sever. The situation in the average AJAX application is even worse just because it is more difficult to protect.

I would like to quote my friends in OWASP who speak about the challenges in AJAX application testing. www.owasp.org/.../Testing_for_AJAX_Vulnerabilities_(OWASP-AJ-001)

(There are tons of more resources for example: www.darknet.org.uk/.../ajax-is-your-application-secure-enough )

To make a secure application a work must be done. This is true in any application but when the attack surface is wide it is simply more difficult.

If you want it or not an AJAX application introduce new security challenges. I think an organization should check if it is ready and it can face those efficiently. If the answer is NO I would choose security for user experience.

# September 14, 2009 6:57 PM

Doron Ben-David said:

Mano, I've wrote a detailed response in my blog:

www.ben-david.co.il

# September 16, 2009 5:00 PM

jimmy said:

DXCHYg chfed38mkksw7cxv0x3dlc3b7.com

# January 21, 2011 9:22 PM
Leave a Comment

(required) 

(required) 

(optional)

(required) 


Enter the numbers above: