This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
AJAX (Asynchronous JavaScript + XML) is a combination of web browser technologies that allows web page content to be updated “on-the-fly” without the user moving from page to page.
Coined by Jesse James Garrett of Adaptive Path
Not a language!
Uses JavaScript on the client and any Language on the Server
Ajax is the latest inheritor of the Dynamic HTML mantle, and allows for the development of feature rich and practical web applications.
Dynamic HTML - a DHTML webpage is any webpage in which client-side scripting changes variables of the presentation definition language, which in turn affects the look and function of otherwise "static" HTML page content, after the page has been fully loaded and during the viewing process.
AJAX is commonly used along with DHTML to provide enhanced user interface.
AJAX and DHTML are two separate things
7OWASP
What is AJAX? (cont.)
In the background of an AJAX-enabled web page, data is transferred to and from the web server.
The mechanism for performing asynchronous data transfers is a software library embedded in all modern web browsers called XMLHttpRequest (XHR) .
AJAX web application uses an XHR JavaScript object to poll data from a remote web server and then manipulate this data to output to a web page utilizing the DOM
“Ajax Engine” - the XMLHttpRequest (XHR) Object
Allows us to send information to the server without post backs
Makes the request and receives the data back
Can be asynchronous or synchronous
XHR is the key to a website earning the “AJAX” moniker. Otherwise, it’s just fancy JavaScript.
Cannot close a window that mobile code did not open
Cannot open a window that is too small
28OWASP
Browser’s “Same Origin” Policy
Also called “Server of Origin” Policy
“Origin” = (protocol + host + port) parts of the URL
Restriction limits interaction between frames, iframes, and script tags from different origins
Prevents client-side JavaScript from making requests to any server other than the server from which it was downloaded
Restriction has been extended to include XMLHttpRequest
XHR has security protections built-in, preventing a user’s browser on Website A from making connections to Website B, to protect users from malicious websites
Can only load XML from originating server
Different browser vendors implement this security somewhat differently
29OWASP
“Same Origin” Policy for AJAX
30OWASP
More “Same Origin” Policy Cases
31OWASP
Proxy Remote Services
Also called “AJAX Bridging” or “Server-Side Proxy”
3rd-party proxy such as Apache mod proxy or custom proxy
Has performance / security limitations
32OWASP
The Remote Proxy Solution
Developers often create a local HTTP proxy on the host web server.
To have the client pull in data from a third-party website, they’ll direct an XHR request through the local proxy pointing to the intended destination.
Consider the following example request generated by the web browser:
http://websiteA/proxy?url=http://websitesB/
Website A takes the incoming request, and sends a request to Website B designated by the “URL” parameter value.
The security issue is that Website A is hosting an unrestricted HTTP proxy, and attackers love open proxies because they can initiate attacks that cannot be traced to their origin.
The capabilities of the proxy should be carefully controlled and restricted with regard to which websites it will connect to and how.
33OWASP
Security Issues with AJAX Bridges
An Ajax-enabled online book store called spibooks.com wants to access some of the Web services that majorbookstore.com provides, such as an author search or genre recommendation service.
While anyone can sign up for a free account to access majorbookstore.com’s Web services, these free accounts have very limited privileges:
The number of unique queries,
The number of simultaneous queries,
The number of hits per second will be set very low.
A formal partner agreement between the two companies allows spibooks.com to access majorbookstore.com with fewer restrictions.
34OWASP
Security Issues with AJAX Bridges
If the attacker wants to copy the entire author database from majorbookstore.com,
he or she can simply issue thousands of queries to the Ajax bridge running on spibooks.com.
The relationship between the two Web sites allows the attacker to extract more data by going through spibooks.com than if he or she had used a free account directly from majorbookstore.com.
It is common in these situations for spibooks.com to limit the number of queries it has to make, reduce bandwidth, and improve performance for its users by caching the results it receives from majorbookstore.com.
Since the attacker’s query may already be in the cache, the attacker may be able to extract data faster by using spibooks.com.
35OWASP
Security Issues with AJAX Bridges
An attacker can also send malicious requests through the Ajax bridge from spibooks.com to majorbookstore.com using the bridge is another layer for the attacker to hide behind.
An attacker, may cause a Denial of Service attack against all spibooks.com users.
if an IPS at majorbookstore.com detects the malicious requests coming from spibooks.com’s IP address, and then automatically blocks all requests from spibooks.com.
It is possible that majorbookstore.com will not detect the attack being relayed through the Ajax bridge.
if majorbookstore.com does not scrutinize the requests it receives from spibooks.com for malicious content as closely as the requests it receives from others.
This is common practice, since the two parties have an agreement to help each other and there is an immense amount of traffic coming in from spibooks.com.
We tend to believe that while surfing the Web we are protected by firewalls and isolated through private network address translated Internet Protocol (IP) addresses.
With this understanding we assume the soft security of intranet Web sites and the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, and so forth, even if left unpatched
Nothing is capable of directly connecting in from the outside world. Right?
Web browsers can be completely controlled by any Web page, enabling them to become launching points to attack internal network resources.
The Web browser of every user on an enterprise network becomes a stepping-stone for intruders.
47OWASP
Exploit Procedures
A victim visits a malicious Web page or clicks a nefarious link; embedded JavaScript malware then assumes control over their Web browser.
JavaScript malware loads a Java applet revealing the victim’s internal NAT IP address.
Then, using the victim’s Web browser as an attack platform, the JavaScript malware identifies and fingerprints Web servers on the internal network.
Attacks are initiated against internal or external Web sites, and compromised information is sent outside the network for collection.
48OWASP
Port Scanning Behind your Firewall
JavaScript can:
Request images from internal IP addresses, e.g.<img src=“192.168.0.4:8080”/>