Dave Bullock / eecue

photographer, director of engineering: crowdrise, photojournalist, hacker, nerd, geek, human

Breaking AJAX Web Applications - Black Hat 2006 Day 2

Alex Stamos

Alex Stamos and Zane Lackey gave a talk at Black Hat called "Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0". As AJAX evolves from a toy used by teenyboppers to a serious tool used by banks, hospitals and uncle same, it becomes more and more important to ensure bug free code. AJAX has changed web attacks by exposing the use of frameworks used by the applications via included .js files which expose supported calls. Cross site scripting becomes more complicated as you can inject script into the javascript stream. Injection attacks are also more dangerous due to front ends that are exposed in the client side code. Business logic in applications has become more complex so parameter manipulation vulnerabilities are still excellent attacks.

XSS becomes more complicated and more interesting because you can just put javascript right into a running javascript engine, which becomes harder to escape as you're no longer looking for brackets and tags.

Because your browser is running a javascript application, if an attacker sends you rogue code, in say link form in your cool AJAX email app, your browser will run the code sent in the webmail application instead of loading it in a new page and then the attacker would be sent your authentication cookie. The attacker would then have access to your web mail. The speakers used the fictitious company Webmail.com in this example, and when asked about gmail they responded that they have more lawyers than webmail.com, but it was pretty clear the attack they were talking about was possibly on gmail.

Dynamic script nodes allow attackers to embed malicious javascript in a website that would allow a cookie from any site to be pulled because browsers allow cross domain XmlHttpRequests, this is very bad!