Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 01/21/08 issue

Calling users donkeys and other security woes of AJAX

By Joab Jackson

AJAX, or Asynchronous JavaScript and Extensible Markup Language, brings exciting new capabilities to Web applications, but it can also lead to new dangers, industry observers say.

“The biggest problem with AJAX is that it creates an entirely new attack surface for people,” said Scott Morrison, chief architect at Layer 7 Technologies, which offers appliances for securing and accelerating XMLbased content over networks. With simple Web pages, the intelligence lies in the Web server. But AJAX is asking the browser to do more of the heavy lifting, he said, and developers all too often fail to put security measures in place to safeguard these complex interactions.

“AJAX is predicated on having this JavaScript engine running on the browser for pulling out information from the back end. The problem is [that] those engines tend to be written by developers quickly…to solve problems,” Morrison said. Little thought is put into screening what kind of data the browser handles.

Perhaps the chief problem is cross-site scripting, abbreviated as XSS. In a presentation at last year’s JavaOne conference in San Francisco, VeriSign engineer Karthik Shyamsunder showed how a cross-scripting attack could work.

A malicious hacker could write a JavaScript code that could, in theory, insult the user by having the browser generate a pop-up box that called the user a donkey, such as:
    < script> alert(“You%20are%20a% 20Donkey”);< /script>
This JavaScript could be placed within any Web page. A trickster could lure the user — via an e-mail from a trusted address, for instance — onto a commonly visited site that accepts user input, such as one that invites comments or asks for the user’s name to personalize the Web page.

If the server does not limit the types of data it allows as input, a script could be submitted that the server would, in turn, pass along to the user’s browser.

Perhaps the server accepts input on how to personalize the Web page it will return to the user. This could be done within the Web address itself: The trickster could format the address sent to the server to hold the malicious script rather than the name of the user: The upshot is that when the user unwittingly submits the link request to the server, the Web server generates a customized Web page that executes the malicious script and calls the user a donkey.

More news on related topics: IT Security, Software Applications, Web Strategies



GCN Popup