XSS: The Spark to the AJAX Dynamite

This entry should serve as an introduction to the threat of cross site scripting and how they can be exacerbated by the use of AJAX. This is the first part of a multipart series where I will detail the numerous vulnerabilities that can lead to severe XSS-AJAX vulnerabilities.

You should follow this multipart series closely if you are manager or overseer of a team that is currently, or will be, working on a web application with AJAX components. If you’re considering moving your current client server application to be a web application the following blog entries will be integral to understanding the threats associated with web applications leveraging the AJAX technologies. This will allow you to make more secure decisions when designing the system.

On my last attendance to the Blackhat and Defcon security conferences I was surprised to see how far the simple Cross Site Scripting vulnerabilities have come. The methods of finding and exploiting these vulnerabilities as well as the possible payloads have come so far in the last year that many testers, developers, project managers and CSO don’t know how powerful a security problem this can be.

The samy worm showed many users on the popular myspace social networking site that there are no protections from a self-replicating worm, written in javascript – by a 17 year old kid.

The popularity of AJAX is unnecessarily increasing the attack surface of many web applications. It hides what is going on from the user and creates an easily scriptable interface to the core functionality of the web application.

Leveraging new technologies with misconfigured and vulnerable web applications malicious users can script much of the web browsing experience to attack the user browsing on a trusted website. These attacks include, but are not limited to the following:

  • Stealing cookies – one of the early attacks was to steal a user’s browser cookie, which may contain sensitive data or session IDs. Once an attacker has a session ID they can log in to the target site without proper credentials as the victim user
  • Stealing browser history – due to the way Firefox deals with link coloring and javascript an attacker may be able to guess where a user has been recently and discover their recent history.
  • Spying on the browser – javascript includes functions for sensing any keystroke or mouse click in the browser window. This would allow the attacker to spy on the data the victim inputs into any webpage.
  • Retrieving web contents – with AJAX technologies an attacker can steal web page data from the same domain “behind the scenes” of the page that the victim is currently viewing. This is especially interesting when browsing sites that may have a lot of content that is only a click away such as webmail or document sharing sites
  • Defacement – as the attacker controls the code on the site, they can effectively float any contents over the page they would like.
  • Redirection – the attacker can forcefully browse the victim to any site or page
  • Internal IP scanning – javascript tricks can be used to scan for live machines from behind a firewall • Posting data – an attacker can use the full power of HTTP POST and GET to make any requests.
  • Real time spying – by posting to a remote site the attacker can actively spy on the victim’s browser watching them browse from page to page, and to see every page they view and everything they type.

If you have any specific worries or vulnerabilities you'd like me to address in the coming weeks, please post them in the comments and I'll respond in my future entries or the comments section. This is going to be an exciting number of weeks!

--Joe

Copyright © 2007 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline