AJAX Application Attacks

Understanding Ajax and JavaScript

Ajax is a popular technology for Web 2.0 applications. Ajax (which is shorthand for asynchronous JavaScript and XML) is not one component, but is a group of related development techniques for Web applications. At the heart of Ajax’s functionality is the ability to asynchronously retrieve data from a Web server without disrupting the display of a web page. Dynamic web pages that update without a complete page refresh are enabled by Ajax technology.

Static Web applications load a page into a user’s Web browser and then cut off connection with the Web server. If the user initiates an action that requires a refresh of the page display, the application must re-establish the Web server connection and refresh the entire page. Ajax includes a technique known as XML HTTP Request that allows data to be retrieved asynchronously in the background, eliminating the need to reload the page for every user interaction.

Ajax consists of these technologies:

  • HTML, XHTML and CSS (Cascading Style Sheets) for web page presentation.
  • XLM and XSLT enable interchange of data and play a role in data manipulation and display.
  • Document Object Model (DOM) provides mechanisms for dynamic display of data and user access of web page content.
  • XML HTTP Request enables asynchronous data retrieval.
  • JavaScript (JS) is the scripting language that unites the Ajax technologies. It is a significant element of Web 2.0 applications.

The term “Ajax” was invented in 2005 by a Web user experience designer named Jesse James Garrett. Since then, Ajax technologies have come to be associated with increased levels of usability, performance and interaction in Web applications. The user experience has become richer as Web applications and traditional PC and Mac-based applications have become more similar. Web applications such as Google Docs and Yahoo Mail now resemble desktop spreadsheets, word processors and email applications.

How Ajax and JavaScript Work

When a Web application session is initiated, an Ajax engine implemented in JavaScript is loaded. This engine serves as an intermediary between the user and the Web server, providing both display and communication services. These services deliver a high level of responsiveness. Requests sent to the Web server are handled immediately and individual areas of the web page are updated independently and asynchronously. There is no need for a total page refresh. For example, interacting with an email application in the past required several user actions and page refreshes before individual email messages could be read. An email application that takes advantage of Ajax’s asynchronous transfer method requires fewer clicks and less waiting on the part of the user. Performance is improved due to fewer requests to the server for data updates. Since different components on the web page are refreshed in the background, there is a reduction is required data bandwidth per transfer. This also provides performance improvements.

Web applications that utilized Ajax also benefit in these areas: Web form submission, search query fetches, category tree edits, record inserts and deletes. Each of these operations can be performed asynchronously and independently.

Ajax Attack Vulnerabilities

When developers tap into the power of Ajax for Web applications, they need to be aware of potential security breaches that will leave their applications vulnerable to attack. As more businesses and organizations use Ajax-based Web applications to establish an Internet presence, hackers are becoming cleverer about compromising the security of these applications. The importance of securing Ajax implementations has never been greater.
Analyst Pete Lindstrom, Director of Security Strategies with the Hurwitz Group, summarizes the current situation. “Companies have done a pretty good job installing firewalls and protecting networks. The area with the greatest vulnerability now is in the applications themselves. It’s proving to be an easier target.”

As Web applications become more interactive, network traffic increases. This traffic may consist of XML, text or dynamic HTML that has been generated by applications. Back-end applications may be exposed to more types of input and more risk from a lack of Web server protection. There is a real risk of insufficient server authentication that can allow malicious users to access and change their privilege levels.

False Sense of Security

Many website owners harbor a misconception about the security of Ajax-based Web applications, thinking that hackers cannot access Web server scripts unless they go through a Web application web page. When Web applications user XML HTTP Requests, server scripts are hidden, increasing the false sense of security for website owners and developers. However, XML HTTP Requests are based on HTTP protocol, like all Web pages, and are therefore vulnerable to the same hacker threats as any other website.
Ajax applications are especially subject to security breaches in the area of session management, where vulnerabilities may allow hackers to use hidden URLS to hijack server requests to back-end applications. The formulation of server requests is another area of vulnerability. The JavaScript Ajax engine takes user requests and translates them into application function calls. These calls are sent to the Web server as plain text and may reveal secure information that can be intercepted by a hacker.

If a hacker is able to intercept application function calls, they can be use to formulate new HTTP requests that are sent directly to the Web server. Cross-site Scripting (XSS) can be used to inject malicious scripts that include Ajax function calls. An application user may become the victim of browser redirection (or phishing) or have his Internet traffic monitored.

JavaScript Attack Vulnerabilities

JavaScript is a powerful tool for Web applications, but it also enables additional security threats. Before Ajax became a popular methodology, the most prevalent types of security issues were related to worms that targeted email and XSS vulnerabilities in websites. Worms are self-propagating pieces of code that can attack Web browsers or email applications and access or modify data.

The new capabilities brought to Web browsers by Ajax and JavaScript have come at the same time as attacks by hackers have moved from a malicious focus to illegal activities. Instead of defacing websites, hackers now target corporate data, including financial and identity information, with the purpose of credit card fraud and identity theft.

Hackers are leveraging Ajax technology and JavaScript to create more dangerous forms of XSS worms. New forms of attack include spamming and mail attacks and widespread network denials of service. Recently, JavaScript has found a new use by hackers in mapping corporate and home networks, making network devices such as routers and storage medium vulnerable to attack.

Solution for Ajax and JavaScript Vulnerabilities

The powerful Web application capabilities that are enabled by Ajax and JavaScript have brought significant gains in the interaction and performance. Unfortunately, with these gains have come new vulnerabilities and security concerns. Since server ports 80 (for HTTP) and 443 (for HTTPS) are public and always open for dynamic content transfer, Web applications are vulnerable 24/7 to data theft and website defacement. This increases the need for a reliable web application scanner that will find and diagnose Web application vulnerabilities.

The increased use of scripts that is a key component of Ajax applications creates increased opportunity for hackers to access secure data. Besides a loss of revenue, loss of secure data can result in a loss of customer trust. Organizations that hope to benefit from Ajax technology must ensure that vulnerabilities will be removed and breaches avoided.

Securing AJAX web applications

Click here to learn more about Acunetix Web Vulnerability Scanner and how the solution works with AJAX applications.  Alternatively take a product tour or download the Free Edition of Acunetix Security Scanner.

Understanding Ajax and JavaScript
Ajax is a popular technology for Web 2.0 applications. Ajax (which is shorthand for asynchronous JavaScript and XML) is not one component, but is a group of related development techniques for Web applications. At the heart of Ajax’s functionality is the ability to asynchronously retrieve data from a Web server without disrupting the display of a web page. Dynamic web pages that update without a complete page refresh are enabled by Ajax technology.Static Web applications load a page into a user’s Web browser and then cut off connection with the Web server. If the user initiates an action that requires a refresh of the page display, the application must re-establish the Web server connection and refresh the entire page. Ajax includes a technique known as XML HTTP Request that allows data to be retrieved asynchronously in the background, eliminating the need to reload the page for every user interaction.

Ajax consists of these technologies:

HTML, XHTML and CSS (Cascading Style Sheets) for web page presentation.
XLM and XSLT enable interchange of data and play a role in data manipulation and display.
Document Object Model (DOM) provides mechanisms for dynamic display of data and user access of web page content.
XML HTTP Request enables asynchronous data retrieval.
JavaScript (JS) is the scripting language that unites the Ajax technologies. It is a significant element of Web 2.0 applications.

The term “Ajax” was invented in 2005 by a Web user experience designer named Jesse James Garrett. Since then, Ajax technologies have come to be associated with increased levels of usability, performance and interaction in Web applications. The user experience has become richer as Web applications and traditional PC and Mac-based applications have become more similar. Web applications such as Google Docs and Yahoo Mail now resemble desktop spreadsheets, word processors and email applications.

How Ajax and JavaScript Work

When a Web application session is initiated, an Ajax engine implemented in JavaScript is loaded. This engine serves as an intermediary between the user and the Web server, providing both display and communication services. These services deliver a high level of responsiveness. Requests sent to the Web server are handled immediately and individual areas of the web page are updated independently and asynchronously. There is no need for a total page refresh. For example, interacting with an email application in the past required several user actions and page refreshes before individual email messages could be read. An email application that takes advantage of Ajax’s asynchronous transfer method requires fewer clicks and less waiting on the part of the user. Performance is improved due to fewer requests to the server for data updates. Since different components on the web page are refreshed in the background, there is a reduction is required data bandwidth per transfer. This also provides performance improvements.

Web applications that utilized Ajax also benefit in these areas: Web form submission, search query fetches, category tree edits, record inserts and deletes. Each of these operations can be performed asynchronously and independently.

Ajax Attack Vulnerabilities

When developers tap into the power of Ajax for Web applications, they need to be aware of potential security breaches that will leave their applications vulnerable to attack. As more businesses and organizations use Ajax-based Web applications to establish an Internet presence, hackers are becoming cleverer about compromising the security of these applications. The importance of securing Ajax implementations has never been greater.
Analyst Pete Lindstrom, Director of Security Strategies with the Hurwitz Group, summarizes the current situation. “Companies have done a pretty good job installing firewalls and protecting networks. The area with the greatest vulnerability now is in the applications themselves. It’s proving to be an easier target.”

As Web applications become more interactive, network traffic increases. This traffic may consist of XML, text or dynamic HTML that has been generated by applications. Back-end applications may be exposed to more types of input and more risk from a lack of Web server protection. There is a real risk of insufficient server authentication that can allow malicious users to access and change their privilege levels.

False Sense of Security

Many website owners harbor a misconception about the security of Ajax-based Web applications, thinking that hackers cannot access Web server scripts unless they go through a Web application web page. When Web applications user XML HTTP Requests, server scripts are hidden, increasing the false sense of security for website owners and developers. However, XML HTTP Requests are based on HTTP protocol, like all Web pages, and are therefore vulnerable to the same hacker threats as any other website.
Ajax applications are especially subject to security breaches in the area of session management, where vulnerabilities may allow hackers to use hidden URLS to hijack server requests to back-end applications. The formulation of server requests is another area of vulnerability. The JavaScript Ajax engine takes user requests and translates them into application function calls. These calls are sent to the Web server as plain text and may reveal secure information that can be intercepted by a hacker.

If a hacker is able to intercept application function calls, they can be use to formulate new HTTP requests that are sent directly to the Web server. Cross-site Scripting (XSS) can be used to inject malicious scripts that include Ajax function calls. An application user may become the victim of browser redirection (or phishing) or have his Internet traffic monitored.

JavaScript Attack Vulnerabilities

JavaScript is a powerful tool for Web applications, but it also enables additional security threats. Before Ajax became a popular methodology, the most prevalent types of security issues were related to worms that targeted email and XSS vulnerabilities in websites. Worms are self-propagating pieces of code that can attack Web browsers or email applications and access or modify data.

The new capabilities brought to Web browsers by Ajax and JavaScript have come at the same time as attacks by hackers have moved from a malicious focus to illegal activities. Instead of defacing websites, hackers now target corporate data, including financial and identity information, with the purpose of credit card fraud and identity theft.

Hackers are leveraging Ajax technology and JavaScript to create more dangerous forms of XSS worms. New forms of attack include spamming and mail attacks and widespread network denials of service. Recently, JavaScript has found a new use by hackers in mapping corporate and home networks, making network devices such as routers and storage medium vulnerable to attack.

Solution for Ajax and JavaScript Vulnerabilities

The powerful Web application capabilities that are enabled by Ajax and JavaScript have brought significant gains in the interaction and performance. Unfortunately, with these gains have come new vulnerabilities and security concerns. Since server ports 80 (for HTTP) and 443 (for HTTPS) are public and always open for dynamic content transfer, Web applications are vulnerable 24/7 to data theft and website defacement. This increases the need for a reliable web application scanner that will find and diagnose Web application vulnerabilities.

The increased use of scripts that is a key component of Ajax applications creates increased opportunity for hackers to access secure data. Besides a loss of revenue, loss of secure data can result in a loss of customer trust. Organizations that hope to benefit from Ajax technology must ensure that vulnerabilities will be removed and breaches avoided.

Share this post

Leave a Reply

Your email address will not be published.