Computer Internet network security News

Both Flash and Ajax contain known potential security holes. Nevertheless, developers rely on them for building an interactive Web presence. IBM has added AppScan to its Rational tools line to in a bid to cope with new vulnerabilities.Rational AppScan can both scan and continuously monitor interactive Web applications and SOA services built as Web services to spot potential exposures.

MySpace hackers have in the past planted Ajax code in fields meant to be links, causing the code to run in an unsuspecting user’s browser when the link is clicked, a practice known as cross-site scripting. Likewise, manipulative users can submit SQL commands where a value is sought for a database process, and the database, running the command, produces unanticipated results, a vulnerability known as SQL injection. AppScan can watch for such activity and alert administrators if it’s spotted, said Scott Hebner, Rational’s VP of marketing.

More at http://www.informationweek.com/news/

Ajax security flash, hackers, myspace

Google is making a huge investment in developing the Ajax approach. All of the major products Google has introduced over the last year — Orkut, Gmail, the latest beta version of Google Groups, Google Suggest, and Google Maps — are Ajax applications. (For more on the technical nuts and bolts of these Ajax implementations, check out these excellent analyses of Gmail, Google Suggest, and Google Maps.) Others are following suit: many of the features that people love in Flickr depend on Ajax, and Amazon’s A9.com search engine applies similar techniques.

These projects demonstrate that Ajax is not only technically sound, but also practical for real-world applications. This isn’t another technology that only works in a laboratory. And Ajax applications can be any size, from the very simple, single-function Google Suggest to the very complex and sophisticated Google Maps.

At Adaptive Path, we’ve been doing our own work with Ajax over the last several months, and we’re realizing we’ve only scratched the surface of the rich interaction and responsiveness that Ajax applications can provide. Ajax is an important development for Web applications, and its importance is only going to grow. And because there are so many developers out there who already know how to use these technologies, we expect to see many more organizations following Google’s lead in reaping the competitive advantage Ajax provides.

Ajax security Ajax security, beta version, developers, google maps

Ajax is a method by which developers bring end users closer to interfaces being exposed by Service Oriented Architectures. The push to create loosely coupled service-based architectures is a promising idea with many benefits in enterprise environments. As more of these service-based “endpoints” become developed, and as Ajax introduces the ability to push more sophisticated processing to the end user, the possibility of moving away from the standard three-tier model arises.

Typically, many web services within an enterprise (as opposed to on the Internet overall) were designed for B2B, and therefore designers and developers often did not expect interaction with actual users. This lack of foresight lead to some bad security assumptions during design. For example, the initial designers may have assumed that authentication, authorization and input validation would be performed by other middle tier systems. Once one allows “outsiders” to directly call these services through the use of Ajax, an unexpected agent is introduced into the picture. A real-life example of such usage is the consistent pitch from Microsoft to use Atlas  hand-in-hand with web services. Developers can now write JavaScript to create XML input and call the web service right from within the client’s browser. In the past this was achieved through service proxies at the server.

Ajax security Ajax security, Authentication, input validation, tier systems

Ajax is a method by which developers bring end users closer to interfaces being exposed by Service Oriented Architectures. The push to create loosely coupled service-based architectures is a promising idea with many benefits in enterprise environments. As more of these service-based “endpoints” become developed, and as Ajax introduces the ability to push more sophisticated processing to the end user, the possibility of moving away from the standard three-tier model arises.

Typically, many web services within an enterprise (as opposed to on the Internet overall) were designed for B2B, and therefore designers and developers often did not expect interaction with actual users. This lack of foresight lead to some bad security assumptions during design. For example, the initial designers may have assumed that authentication, authorization and input validation would be performed by other middle tier systems. Once one allows “outsiders” to directly call these services through the use of Ajax, an unexpected agent is introduced into the picture. A real-life example of such usage is the consistent pitch from Microsoft to use Atlas hand-in-hand with web services. Developers can now write JavaScript to create XML input and call the web service right from within the client’s browser. In the past this was achieved through service proxies at the server.

Ajax security Ajax security, ajax-development, Ajax-security, developr, end-user

If you examine the ASP.NET AJAX JavaScript source code, you’ll see lots of “===” compare operators where you’d expect to find the normal “==” operator. Both will evaluate if an object is equal, but the “===” takes it another step further and validates that the objects being compared share the same identity. That means, in order for “===” to return true, the objects must be equal without JavaScript performing any data type conversions. This provides strict equality tests in JavaScript where loosely typed objects can often cause problems. And yes, “!==” exists, too. At this point we’ve sent our request to the server, received a response, and now we have an XML document object sitting in JavaScript memory. We’ve completed our asynchronous communication with the server, but now we need to update the page’s DOM. After all, the point of Ajax is to update the page without doing a full PostBack (and thus a full refresh) of the page. What should now be obvious is that
the harder part of creating an Ajax application is implementing the code that parses the server response and updates the page; the communication is actually fairly straight forward and easy.

Ajax security Ajax security, Ajax-security, asp, asp-and-ajax

Http Status code 304 in ajax is technically a valid response code that could be returned from the server when performing a GET. It indicates that the page has not been changed and the page in the browser’s cache should be used. In Firefox, the XMLHttpRequest status property will return “200” if the server responds with “200” or “304”. IE will also return status code 200 in the XMLHttpRequest GET response, so a solid implementation of your callback function does not need to check for both codes. radAjax currently throws an error for any response that does not return code 200. The XMLHttpRequest has several properties that we’re interested in during our response callback ajax functions.

Ajax security Ajax security, Ajax-security, http, http-304

The advent of AJAX applications has raised considerable security issues due to a broadened
threat window brought about by the very same technologies and complexities developed. With an
increase in script execution and information exchanged in server/client requests and responses,
hackers have greater opportunity to steal data thereby costing organizations thousands of dollars
in lost revenue, severe fines, diminished customer trust and substantial damage to your
organization’s reputation and credibility.
The only solution for effective and efficient security auditing is a vulnerability scanner which
automates the crawling of websites to identify weaknesses. However, without an engine that
parses and executes JavaScript, such crawling is inaccurate and gives website owners a false
sense of security.
The Acunetix Client Script Analyzer included in Acunetix WVS, identifies the document object
model, events and behaviours of a website and executes all the embedded scripts. This unique
web auditing methodology significantly enhances the quality of the vulnerability scan.

Ajax security advent, Ajax security, hackers, methodology, vulnerability_scan

Although a most powerful set of technologies, developers must be aware of the potential security holes and breeches to which AJAX applications have (and will) become vulnerable.

According to Pete Lindstrom, Director of Security Strategies with the Hurwitz Group, Web applications are the most vulnerable elements of an organization’s IT infrastructure today. An increasing number of organizations (both for-profit and not-for-profit) depend on Internet-based applications that leverage the power of AJAX. As this group of technologies becomes more complex to allow the depth and functionality discussed, and, if organizations do not secure their web applications, then security risks will only increase.

Increased interactivity within a web application means an increase of XML, text, and general HTML network traffic. This leads to exposing back-end applications which might have not been previously vulnerable, or, if there is insufficient server-side protection, to giving unauthenticated users the possibility of manipulating their privilege configurations.

There is the general misconception that in AJAX applications are more secure because it is thought that a user cannot access the server-side script without the rendered user interface (the AJAX based webpage). XML HTTP Request based web applications obscure server-side scripts, and this obscurity gives website developers and owners a false sense of security – obscurity is not security. Since XML HTTP requests function by using the same protocol as all else on the web (HTTP), technically speaking, AJAX-based web applications are vulnerable to the same hacking methodologies as ‘normal’ applications.

Subsequently, there is an increase in session management vulnerabilities and a greater risk of hackers gaining access to the many hidden URLs which are necessary for AJAX requests to be processed.

Another weakness of AJAX is the process that formulates server requests. The Ajax engine uses JS to capture the user commands and to transform them into function calls. Such function calls are sent in plain visible text to the server and may easily reveal database table fields such as valid product and user IDs, or even important variable names, valid data types or ranges, and any other parameters which may be manipulated by a hacker.

With this information, a hacker can easily use AJAX functions without the intended interface by crafting specific HTTP requests directly to the server. In case of cross-site scripting, maliciously injected scripts can actually leverage the AJAX provided functionalities to act on behalf of the user thereby tricking the user with the ultimate aim of redirecting his browsing session (e.g., phishing) or monitoring his traffic.

Ajax security Ajax security, cross-site, scripting, vulnerability

Google is making a huge investment in developing the Ajax approach. All of the major products Google has introduced over the last year — Orkut, Gmail, the latest beta version of Google Groups, Google Suggest, and Google Maps — are Ajax applications. (For more on the technical nuts and bolts of these Ajax implementations, check out these excellent analyses of Gmail, Google Suggest, and Google Maps.) Others are following suit: many of the features that people love in Flickr depend on Ajax, and Amazon’s A9.com search engine applies similar techniques.

These projects demonstrate that Ajax is not only technically sound, but also practical for real-world applications. This isn’t another technology that only works in a laboratory. And Ajax applications can be any size, from the very simple, single-function Google Suggest to the very complex and sophisticated Google Maps.

At Adaptive Path, we’ve been doing our own work with Ajax over the last several months, and we’re realizing we’ve only scratched the surface of the rich interaction and responsiveness that Ajax applications can provide. Ajax is an important development for Web applications, and its importance is only going to grow. And because there are so many developers out there who already know how to use these technologies, we expect to see many more organizations following Google’s lead in reaping the competitive advantage Ajax provides.

Ajax security Ajax security, amazons, google_maps, google_suggest

An Ajax application eliminates the start-stop-start-stop nature of interaction on the Web by introducing an intermediary — an Ajax engine — between the user and the server. It seems like adding a layer to the application would make it less responsive, but the opposite is true.

Instead of loading a webpage, at the start of the session, the browser loads an Ajax engine — written in JavaScript and usually tucked away in a hidden frame. This engine is responsible for both rendering the interface the user sees and communicating with the server on the user’s behalf. The Ajax engine allows the user’s interaction with the application to happen asynchronously — independent of communication with the server. So the user is never staring at a blank browser window and an hourglass icon, waiting around for the server to do something.

Ajax security Ajax security, browser_window, interface, xss

Ajax is a method by which developers bring end users closer to interfaces being exposed by Service Oriented Architectures. [ref 3]The push to create loosely coupled service-based architectures is a promising idea with many benefits in enterprise environments. As more of these service-based “endpoints” become developed, and as Ajax introduces the ability to push more sophisticated processing to the end user, the possibility of moving away from the standard three-tier model arises.

Typically, many web services within an enterprise (as opposed to on the Internet overall) were designed for B2B, and therefore designers and developers often did not expect interaction with actual users. This lack of foresight lead to some bad security assumptions during design. For example, the initial designers may have assumed that authentication, authorization and input validation would be performed by other middle tier systems. Once one allows “outsiders” to directly call these services through the use of Ajax, an unexpected agent is introduced into the picture. A real-life example of such usage is the consistent pitch from Microsoft to use Atlas [ref 4] hand-in-hand with web services. Developers can now write JavaScript to create XML input and call the web service right from within the client’s browser. In the past this was achieved through service proxies at the server.

Ajax security Ajax security, Microsoft security, xml_input

Another unfortunate truth is that attackers can be more creative (in other words, dangerous) with the use of Cross Site Scripting (XSS) vulnerabilities. [ref 5] Typically, attackers had to use XSS holes in a “single-threaded” world, where the attack was being carried out while the user’s browser was in a wait state. This wait state provided some visual/behavioral cues to the user of a possibly misbehaving application. With the introduction of Ajax, an attacker can exploit Cross Site Scripting vulnerabilities in a more surreptitious manner. While you check your mail with an Ajax-enabled application, the malicious code could be sending email to all your friends without your browser giving you any visual cues at all.

Adequate, specialized security testing must be performed prior to moving the application into production to address these areas of concern. Even though Ajax applications are web applications, an organization’s existing security testing methodologies may be insufficient due to the highly interactive nature of these applications.

Ajax security Ajax security, attackers, Business security, cross_site_scripting, malicious_code, testing_methodologies, xss