Comments on: Subverting Ajax

By: Andi

Andi — Tue, 09 Jan 2007 14:33:25 +0000

This is the general danger in JavaScript, so this is just one of million examples how to manipulate native functions and methods. This one is probably riskier but if you check all JS sources in your HTML such a thing should be the exception. What about some useless JavaScript:

XMLHttpRequest = null;
document.body.innerHTML = ‘Blank site’;
while(1) {
alert(’Fun’);
}

By: Martin

Martin — Tue, 09 Jan 2007 10:15:35 +0000

Mikael, this is a problem with XSS, nothing more. It basically says “once an attacker can get his JS code to execute in a user’s browser, he can access and change the javascript therein.” A striking revelation…

By: kourge

kourge — Tue, 09 Jan 2007 06:56:59 +0000

My $0.02 on this:
http://blog.kourge.net/2007-01/prototyping-not-a-flaw/

By: mikael bergkvist

mikael bergkvist — Tue, 09 Jan 2007 01:41:11 +0000

I say as Homer Simpson did.. “Mmmm, javascript..”

By: mikael bergkvist

mikael bergkvist — Tue, 09 Jan 2007 01:40:11 +0000

Is ajax the problem or is javascript itself the problem?
And if it is, what are we supposed to use instead?
Isn’t this just the same old bunch longing back to the good old days when it was just ugly pages with hyperlinks, like my teachers back in school, who thought that anything but ‘pure’ html containing some (boring) research on how to properly format a sentence in chinese or on how rare bugs from outer mongolia has longer antennas, is sent by satan to destroy the world?

“Young man, when I was at your age, I walked TEN miles to school and without shoes and in a icecold blizzard – and by the way – we had noooo stinkin’ javascript running either..”

By: Eric Pascarello

Eric Pascarello — Mon, 08 Jan 2007 22:08:39 +0000

Emil,
info on the the code display can be found here: http://wp-plugins.net/plugin/syntax_hiliter/

By: Julien Couvreur

Julien Couvreur — Mon, 08 Jan 2007 22:07:49 +0000

I was kind of appalled by the announcement of this “great threat”. This is a well known behavior which has been repeatedly used in the javascript community. As any other idiosyncrasy of a programming language, it needs to be evaluated as part of a security review.
But I have a hard time believing that the authors of this presentation are issuing this warning in good faith. They surely must know that nothing in the paper is new. It seems to me that they are only seeking sensationalism.

By: Dan

Dan — Mon, 08 Jan 2007 21:48:30 +0000

So wait … client-side application logic can be hijacked? This is news. Look, I’m back in 1997. That being said, you would still have to provide some method of insecure user input for any of this to matter, and hopefully we all do that by now. We do, right?

By: Jason

Jason — Mon, 08 Jan 2007 21:40:36 +0000

I still don’t get it. I mean, I get the prototype thing and I understand the code above, but I’m trying to think how this could really happen.

First off I’m a developer for enterprises and our users are not just anyone who can sign up and log in. It’s all corporate and companies use us because they want to. I think it’s important to say that becuase first and foremost, in order for someone to submit a hijacked Ajax request, they’d have to be one of our customers. Quite possible I suppose, but unlikely.

Second, all our Ajax requests are first checked for the proper authentication. If the credentials are invalid, then that’s as far as things go. So this sorta gets back to my first point which is only our clients have the proper creds to access the logic on our servers.

That said, I’m still not certain, even if someone was authenticated in our system, how an exploit would happen. I mean, I see the theory of changing things, but how could someone, say, change a JS method I might have for a specific call – say to look up a contact – and then somehow put it on the server so it would be available the next time to other auth’d users? Or is this not the right way to look at it?

I dunno, guess it’s nice in theory and stand-alone, but I don’t see how it would fit into an actual real running app. Maybe someone could shed some light on this.

By: Mark Holton

Mark Holton — Mon, 08 Jan 2007 21:09:47 +0000

Great post by Alex. Thanks for that.

I need to read Grossman’s latest post a bit more carefully… but I’m confused (perhaps others can add some more insights to help clarify for me)…

Grossman’s latest seems to be a different stance than his previous post on WhiteHat’s site. Before he and WhiteHat effectively stated “Ajax presents no inherent insecurity” (link here: http://www.whitehatsec.com/home/resources/articles/files/myth_busting_ajax_insecurity.html)...

now this latest on his blog he says “Web browser security is broken. Completely shattered.”

I understand there’s a distinct difference in topics here between the Ajax paradigm not being inherently flawed, and commenting on the browser’s security, but yes, this recent commentary on browser insecurity seems to be a lot of FUD more than facts and data. Thanks for providing some more insight with your post.

By: Emil Davtyan

Emil Davtyan — Mon, 08 Jan 2007 19:54:14 +0000

Hello,

This my firs comment :) I would like to know how you get the code to show up so nicely in your post, it there a plug in for this?

Thanks

By: Alex Russell

Alex Russell — Mon, 08 Jan 2007 19:01:54 +0000

http://www.sitepen.com/blog/2007/01/07/when-vendors-attack-film-at-11/