Wednesday, August 9th, 2006

Cross-Domain Ajax Insecurity

Category: Ajax, Security, XmlHttpRequest

Chris Shiflett has posted his look today at cross-domain Ajax requests and some of the security implications that can come with it, especially in a world where more and more developers are beginning to think it’s okay.

Since the birth of Ajax (the term, not the technology), there has been an increasing interest in various client-side technologies, especially JavaScript. Those who have forged ahead in an attempt to innovate new ways of applying Ajax have inevitably run into the same-domain security policy of XMLHttpRequest(). As a result, there has been an increasing demand for cross-domain Ajax, and there are several creative techniques in use today to get around the same-domain restriction (none of which I consider cross-domain Ajax).

He talks about other methods that can capture the data in an Ajax request (post scanner), but notes that one of the real dangers is removing a barrier for cross-site request forgeries that most normal sites already have in place.

To illustrate, he mentions an issue Digg had with a “self-digging story” a little while back. He also includes a sort of how-to on the method that they used to accomplish the task – basically a Javascript form submit on each viewing. There are checks in place for it now, but there’s still the same kind of issue with cross-domain requests. Sure, you’d have to lure diggers to another page to get the key required for another digg, but since the code runs on the client, digg doesn’t have much protection.

It’s worth noting that XSS vulnerabilities allow malicious JavaScript to execute within your domain, thereby avoiding the same-domain restrictions. This can have catastrophic consequences. Just ask Myspace.

Posted by Chris Cornutt at 10:03 am

3.7 rating from 67 votes


Comments feed TrackBack URI

See my conversation with Mr. Shiflett in the comments of his post as to why I rated this a two out of five.

Comment by The Hater — August 9, 2006

General feedback: please don’t include the same link (to Chris’s post) multiple times. It’s confusing and I have to check whether they are the same or not before opening them… Thanks for considering this in your future posts.

Comment by Julien Couvreur — August 9, 2006

AJAX greatest security myth busted

There’re way too many heated discussions on AJAX security and too many so-called experts that speculate on this issue. Let’s just settle down for a moment, forget about all the buzzwords and try to see whether AJAX really implies some security proble…

Trackback by Professional Internet Consulting — August 25, 2006

Why isn’t there a service that will return XML content as a string, maybe as JSON, so that us bloggers can retrieve cross-domain XML in our humble client apps via javascript injection? like:

and return this:

xmlString=”<?xml version=”1.0″ encoding=”UTF-8″?><rdf:RDF …></rdf:RDF>”;

Then I can do something like this:
<script id=”myXML” src=””>
var parser = new DOMParser(); // gecko only
var doc = parser.parseFromString(xmlString, “text/xml”);

Comment by rickdog — October 3, 2006

Leave a comment

You must be logged in to post a comment.