Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:33 AM
Connect Directly

Hackers Clean Up With Ajax

New Black Hat research shows how Ajax exposes data, users

The Ajax development tool may be easy to deploy and fun for users, but all of that cool interactivity can also put users in harm's way -- and a pair of researchers has written exploits to prove it.

Bryan Sullivan, senior research engineer for SPI Dynamics, and Billy Hoffman, lead researcher for SPI Dynamics's labs, next month at Black Hat USA will demonstrate their own specially crafted SQL injection and XPath injection attacks as well as "race-condition" exploits on Ajax.

They'll unleash their exploits on a mock Website called "Hacker's Vacation Website" that they built for the Black Hat session entitled "Premature Ajax-ulations" (really).

The crux of Ajax's problem is its heavy interaction with the client machine. Anywhere from one third to one half of most Ajax apps run out on the client, which leaves these apps wide open to attackers, the researchers say. "Any code running on the client is visible to a potential attacker. They can see what you're doing and how you're doing it," Sullivan says.

Ajax server code, too, must be more visible than the traditional Web app so that the client code can access it directly, Sullivan says.

In a traditional Web environment, such as a site that lets you purchase music, the transaction application -- login, authentication, debiting the account, etc. -- would basically run on the server. But with Ajax, that process engages the client with feedback, such as "now we're debiting your account," or "now you're downloading the software," Sullivan explains.

"There's a lot of Ajax logic on the client and it can be manipulated and exploited," Sullivan says.

The relative transparency of the Ajax-based application also makes it much simpler for an attacker to peek into the app and glean its inner workings -- and vulnerabilities -- for nefarious purposes. If a typical Web app is like a microwave -- where no one really knows or sees how it works -- Ajax is more like a toaster. "It's easy to understand, and you can look in and see the hot coils and the bread turning brown," Sullivan says. "It's easy to understand how to break it, too."

The most overlooked and serious security issue in Ajax is data transformation, where data is converted into HTML, Sullivan observes. With Ajax, that transformation often occurs at the client, rather than at the server for performance reasons. But such transformation increases the risk of SQL injection or XPath injection attacks, he says.

"If the server just sends back raw query results to the client, as is often done in Ajax apps, then an attacker can easily append his own commands and get back valid results. The entire database can be retrieved in one or two requests instead of [in] thousands."

And retrofitting an older Web app to Ajax is even less secure than developing it from scratch, the researchers say. "When someone 'Ajaxifies' a traditional Web app for whatever reason -- a good business reason or because it's trendy -- they have now taken an application that was secure and broken it, so it’s not secure anymore," Sullivan says. He says he recently has seen an "Ajaxified" app that updates passwords. "So anyone could access this directory and change anything they want."

So what should enterprises do to secure their Ajax-based apps?

"We're not going to say don't use Ajax. We think it's great," Sullivan says. "But watch your granularity of functions" in your apps. That may mean making a sensitive part of a transaction, for instance, one larger function rather than embedding a lot of back-and-forth correspondence between the client and server, he says. "So before a user could download a song, he or she would need to log in again."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Black Hat Inc.
  • SPI Dynamics Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-04-02
    A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to
    PUBLISHED: 2020-04-02
    In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
    PUBLISHED: 2020-04-01
    The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
    PUBLISHED: 2020-04-01
    The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
    PUBLISHED: 2020-04-01
    In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...