Geeks With Blogs

Welcome to my blog.
Here's what we've got on the menu today:

Lorin Thwaits A geek says what?

Had this question posed from a friend in my last London post:

What do you think of AJAX?  Do you know of security concerns?

Since you asked...

Security concerns with AJAX
AJAX is a very straightforward way to increase the dynamic feel of any site.  But we're talking about Javascript calling almost directly into server-side code, so there are some big security concerns to be worried about with this architecture.  What was once one door into the server, a URL to retrieve the web page, is now accompanied by an additional door for every method provided by the server.  Retrieving fairly raw data with a simple call into these methods means the code servicing those calls is likely to be closer to the database.  So altogether there is more risk.

The attack vector will largely be attempts to call into server-side code with non-standard parameters.  For those AJAX libraries that generate dynamic Javascript, it's as simple as saving a rendered page as static HTML, and then modifying the Javascript calls to see what comes back from the server.  Especially if text strings are being passed in then this is a vector for buffer overflow and injection attacks.  Or if database rows are referenced by a key field then data outside of the scope of a given user may be accessible with just a little experimentation.  So hopefully this is not overlooked during code reviews.  All the normal security checks you would do for controls on a page need to be done in those methods related to AJAX.

Let's consider a the software testers for a moment.  In recent years they've become more aware of standard security risks with traditional web pages.  So an adept tester will likely attempt a few HTML and SQL injection attacks as they're verifying a site.  But rarely do you find a tester who knows anything about Javascript, and thus with AJAX the real oness of security falls on the programmer.

And what about programmers today?  Most are familiar with the security risks of standard controls, and are in the habit of checking what is submitted very carefully.  (Or at least hopefully they are!)  But when you use a canned library to abstract the complexity behind passing an XMLHttpRequest, it means you think less about the possible loopholes that attackers will certainly be probing.  When selecting a library to use, programmers and architects should test to see if there are specifically any buffer overflow risks with the string data being passed in.  If in doubt, try passing in an inordinately large set of data and see what exceptions surface and where.  And once a library is chosen then when coding there must be careful checks on all the parameters coming into the server-side AJAX methods to weed out values outside the norm and provide a consistent enforcement of all role-based security.

.NET 2.0 is well-prepared for AJAX
In the .NET camp ASP.NET 2.0 now has provision for asynchronous callbacks, which makes implementing AJAX much easier.  In fact three of the new controls in 2.0 already use these asynchronous callbacks for a smoother user experience: GridView, DetailsView, and TreeView.  Pretty slick implementations there.

Probably very soon Microsoft will be releasing ATLAS, which is an add-on to ASP.NET to further leverage asynchronous callbacks and easily enable AJAX functionality.  So easy that you just set some declarative code on a control and *BAM*, it wires up all the Javascript and asynchronous handlers behind the scenes for you!  And from what I've seen so far it does this securely.  But there is a cost -- ATLAS uses more bandwidth than a home-grown custom solution would.  Here's a nice comparison of performance between .NET AJAX libraries.

So I'm definitely not trying to steer anyone away from AJAX in this post.  I'm just hoping that security will be maintained as more people adopt this excellent feature in their sites.


Posted on Thursday, February 9, 2006 1:15 AM ASP.NET , Exploits | Back to top

Comments on this post: AJAX as an attack vector

# re: AJAX as an attack vector
Requesting Gravatar...
Thank you!
Left by Lobo on Feb 10, 2006 1:45 PM

# re: AJAX as an attack vector
Requesting Gravatar...
The second phone shown is what DoCoMo is offering to compete
Left by DDos Protection on Nov 06, 2009 11:30 PM

# re: AJAX as an attack vector
Requesting Gravatar...
Hey admin, incredible post! Pleasee continue this great work.
Left by free sports games on Mar 06, 2010 7:03 PM

Your comment:
 (will show your gravatar)

Copyright © Lorin Thwaits | Powered by: