Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:33 AM
Connect Directly

Hackers Clean Up With Ajax

New Black Hat research shows how Ajax exposes data, users

The Ajax development tool may be easy to deploy and fun for users, but all of that cool interactivity can also put users in harm's way -- and a pair of researchers has written exploits to prove it.

Bryan Sullivan, senior research engineer for SPI Dynamics, and Billy Hoffman, lead researcher for SPI Dynamics's labs, next month at Black Hat USA will demonstrate their own specially crafted SQL injection and XPath injection attacks as well as "race-condition" exploits on Ajax.

They'll unleash their exploits on a mock Website called "Hacker's Vacation Website" that they built for the Black Hat session entitled "Premature Ajax-ulations" (really).

The crux of Ajax's problem is its heavy interaction with the client machine. Anywhere from one third to one half of most Ajax apps run out on the client, which leaves these apps wide open to attackers, the researchers say. "Any code running on the client is visible to a potential attacker. They can see what you're doing and how you're doing it," Sullivan says.

Ajax server code, too, must be more visible than the traditional Web app so that the client code can access it directly, Sullivan says.

In a traditional Web environment, such as a site that lets you purchase music, the transaction application -- login, authentication, debiting the account, etc. -- would basically run on the server. But with Ajax, that process engages the client with feedback, such as "now we're debiting your account," or "now you're downloading the software," Sullivan explains.

"There's a lot of Ajax logic on the client and it can be manipulated and exploited," Sullivan says.

The relative transparency of the Ajax-based application also makes it much simpler for an attacker to peek into the app and glean its inner workings -- and vulnerabilities -- for nefarious purposes. If a typical Web app is like a microwave -- where no one really knows or sees how it works -- Ajax is more like a toaster. "It's easy to understand, and you can look in and see the hot coils and the bread turning brown," Sullivan says. "It's easy to understand how to break it, too."

The most overlooked and serious security issue in Ajax is data transformation, where data is converted into HTML, Sullivan observes. With Ajax, that transformation often occurs at the client, rather than at the server for performance reasons. But such transformation increases the risk of SQL injection or XPath injection attacks, he says.

"If the server just sends back raw query results to the client, as is often done in Ajax apps, then an attacker can easily append his own commands and get back valid results. The entire database can be retrieved in one or two requests instead of [in] thousands."

And retrofitting an older Web app to Ajax is even less secure than developing it from scratch, the researchers say. "When someone 'Ajaxifies' a traditional Web app for whatever reason -- a good business reason or because it's trendy -- they have now taken an application that was secure and broken it, so it’s not secure anymore," Sullivan says. He says he recently has seen an "Ajaxified" app that updates passwords. "So anyone could access this directory and change anything they want."

So what should enterprises do to secure their Ajax-based apps?

"We're not going to say don't use Ajax. We think it's great," Sullivan says. "But watch your granularity of functions" in your apps. That may mean making a sensitive part of a transaction, for instance, one larger function rather than embedding a lot of back-and-forth correspondence between the client and server, he says. "So before a user could download a song, he or she would need to log in again."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Black Hat Inc.
  • SPI Dynamics Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-04-14
    An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
    PUBLISHED: 2021-04-14
    An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the va...
    PUBLISHED: 2021-04-14
    An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
    PUBLISHED: 2021-04-14
    An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead...
    PUBLISHED: 2021-04-14
    Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.