As a result, many companies that have rushed to Ajax-enable their sites may be dangerously vulnerable to a variety of web-based threats of which they’re not even aware.
Ajax is an increasingly popular programming technique that allows web designers to make their websites more responsive to user input compared with traditional pages. Google, Yahoo and many other sites have embraced Ajax, which enables new content to be added to a web page in response to user input without needing the entire page to be reloaded.
Among the biggest of these threats, says Hoffman, is the opening that poorly coded Ajax sites can provide for malicious attackers to change the order in which a program executes functions. Poorly designed Ajax implementations often push program code that used to be stored and executed only on the server out to client browsers. This allows attackers to access the code and to manipulate the order in which a program’s functions are executed, Hoffman says.
The availability of too much program code on the client side also allows attackers to perform actions such as changing the value of certain parameters, or deleting certain program calls entirely. Ajax environments can also present more opportunities for hackers to inject malformed SQL queries and compromise applications if proper validation measures are not taken.
To illustrate the threat, Hoffman and Sullivan demonstrated a series of attacks against a fictitious Ajax-enabled travel reservation site at a Black Hat presentation. The Ajax functionality in the site was completely built using tools and information sources that are commonly used by most Ajax developers today.
Hoffman and Sullivan showed how it was possible via the client browser to change the flow of the reservation program so that it would be possible for an attacker to book a ticket and not pay for it, or pay less than the quoted price for it.
The fundamental mistake that many Ajax developers make is to assume that code available on the client side will be treated in the same manner as server-side code, Sullivan says. He says what such developers fail to realise is that when code that was originally intended to run on a server behind the firewall is presented on a client browser, it becomes possible to manipulate and change that code.
“When you publicly expose server methods for your Ajax applications, you are essentially creating an API for anyone to call,” the two researchers wrote in their white paper. As a result care should be taken to expose only the required server-side methods, they said, adding that it also becomes vital to validate all user input for correct format and length to mitigate threats.