Review: Ajax's Hidden Security Threat and How To Fix It
The danger to IT organizations is that Ajax technology is being perceived as a direct pipeline into corporate data. That's pushing developers to inadvertently expose more data and server logic than ever before.
Ajax's logic also can be hidden from client-side security scanning technologies, allowing hackers to set up the new attacks from remote servers. Ajax, too, falls prey to well-known vulnerabilities such as cross-site scripting, SQL injections and credentials-based security holes.
To give a picture of the dangers of Ajax applications and ways to solve them, the CRN Test Center evaluated four products that cover various aspects of the Web app development life cycle: Cenzic's Hailstorm, the SPI Dynamics suite, Finjan's Vital Security Appliance and Apache's XAP. By using these products and other, developers can significantly reduce Ajax vulnerabilities and make any flaws highly manageable.
CENZIC HAILSTORM
One way to find Ajax flaws is with application security testing suites. To that end, Cenzic's Hailstorm has refined behavioral analysis of Ajax-based Web apps to an art form. Hailstorm can automate some of the most complex stream-based attacks, allowing developers to see how real-world hackers would go about breaking into their Web apps and stealing secure data.
Hailstorm allows developers to inspect all the vulnerabilities in real time to obtain information on which injected code was executed and how the target Web apps responded. Hailstorm also provides suggestions for fixing code from various technologies. Because Web app technologies are so varied, Hailstorm gives examples of generic fixes without showing code structures.
According to Cenzic, two major vulnerabilities surface when Ajax apps make server requests: input validation (such as SQL and script injections) and authentication. The key challenge for developers is to prevent feedback from any injection. Yet receiving modified, Ajax-based data structures without creating vulnerability in the code and enforcing standard HTTP requests can be daunting.
For instance, when making HTTP requests, post parameters separated by ampersands submit fields that allow hackers to find parameters providing insight into server responses. Hackers can create custom HTTP headers by inserting function calls using HTTP headers so that rogue scripts run on the server side. With Hailstorm, developers can identify flaws inside HTTP headers by injecting code based on server responses.
Hailstorm also can check for any post data injection. With vulnerable HTTP header responses, Hailstorm can generate cross-site scripting and SQL injection attacks to test server requests and script execution. Hailstorm can inject the headers with null functions to see if page structures can be modified with rogue functions. To get clues about the XML code and the functions being called, attackers often like to use null functions to receive messages back from the server.
Because Ajax requests are based on XMLHTTP, developers can change the structure of the post data dynamically to provide immediate Ajax-based data results to client browsers from a Web app. However, this feature can be exploited. For example, if hackers could modify any function, they could drop spam on a page.
Observing the best time to attack Ajax requests is also crucial because not all Ajax method calls are useful. With page loads, Ajax changes made to pages require follow-through responses from server-side components, by internal end users or by a combination of both, since Ajax requests are intermediary requests.
NEXT: More on Hailstorm and a look at SPI Dynamics' suite. Examples of internal end users are those who evaluate forms for banks and other financial firms. To determine what those Ajax requests caused, Hailstorm comes with a browser on the server side to follow through internal users' event-based responses and trace those requests back to page loads from client browsers.
For instance, after performing Ajax injections on form data, Hailstorm users can analyze data size responses. If internal users click on a JavaScript pop-up generated from Ajax-based SQL injections, data pulled from the Web app can produce a security leak, enabling hackers to view table dumps of financial data. Hailstorm output can determine the specific instance on a page load that created this flaw by tagging each transaction with a watermark ID. That feature provides stateful assessments by mimicking what hackers actually do to maintain the state of Web apps.
SPI DYNAMICS SUITE
SPI Dynamics also offers a comprehensive app security testing solution. The SPI Dynamics suite provides tools for every stage of a software development life cycle, covering black box assessments, code inspection, testing and unified viewing of all results.
For black box testing, the WebInspect tool provides highly interactive UIs for the suite's scanning and test results features. WebInspect shows vulnerability results and sports a dashboard for tracking the scanning process. Users can edit vulnerability sessions to get results from individual scans and produce custom reports.
The Policy Manager tool lets end users configure multiple scanning engines to run on a job and specify which tests each scan can execute. Users also can generate custom agents to trace test code.
According to SPI Dynamics, Ajax apps are flawed whenever developers don't identify cross-site scripting and Web services vulnerabilities. For cross-site scripting attacks, WebInspect identifies all the manipulated parameters and the byte-size characters used to achieve penetration.
Consequently, WebInspect's engine generates multiple combinations of characters inside Ajax-based JavaScript code to identify what apps are allowed to pass. From those results, WebInspect figures out how to craft a cross-site scripting attack. The tool also provides information on the page that generated the flaw.
Another tool, DevInspect, enables developers to correlate the vulnerabilities found on pages with specific code. DevInspect performs source code analysis and black box testing within an IDE such as Visual Studio 2005, and Eclipse support is due at the year's end. Such hybrid analysis is unique to SPI Dynamics.
DevInspect, too, can show raw HTTP requests from injection results. SPI Dynamics offers an HTTP editor as well, which will send requests back to a Web server to help developers track what happens on the server side. Both tools also allow developers to retest fixed vulnerabilities. Developers can pull the results from attacks and resend them to a Web server.
Even with strong data filtering and server-side validation code, DevInspect tries to infiltrate code by generating responses that could bypass those routines. Developers can change attacks in midstream to flag Ajax response flaws through XMLHTTP requests. DevInspect checks for Web services vulnerabilities by applying SQL injections and identifying input validation threats. The tool also can automatically fix vulnerabilities for developers, make code modifications for input validation problems and repair configuration problems.
By the first quarter of 2007, SPI Dynamics plans to integrate WebInspect with DevInspect via its Assessment Management Platform (AMP) product to cover entire application development life cycle. Ideally, AMP will be able to analyze and correlate data from WebInspect and DevInspect users so that different groups can share results.
NEXT: Finjan Vital Security Appliance and Apache's XAP. FINJAN VITAL SECURITY APPLIANCE
According to Finjan, Ajax acts like a hidden Web because its requests invoke server code without visibility on browsers. Ajax-based apps also can query Web services, allowing hackers to create stealthy attacks, since code is never revealed.
Finjan's Vital Security Appliance provides one of the most complete security audits on browser-based activity that the Test Center has seen. Finjan's motto is not to trust any code from any source that comes into browsers, so its software keeps constant vigilance of changes made to any site traversed by customers.
The Vital Security Appliance secures end users by providing a gateway between browsers and external Web servers. Finjan also offers antispyware and antivirus scanners, URL categorization filters, content type detectors and content processors.
Finjan's patented behavioral analysis engine traps code passed to browsers on the fly and analyzes it for vulnerabilities. Regardless of data formats and application states, the appliance detects if the code is trying to access a registry and system files or open other network connections.
The Finjan software also can trace code that has custom encoding, encryption and obfuscated binaries. Actions such as file deletions and data exporting are identified and trapped as well. Finjan's unique parsing technology only traps bad scripts on pages, while allowing the rest of the code to pass through. The software won't keep the page from loading because it creates user dissatisfaction.
In addition to HTTP-based code, the Finjan appliance also can screen Ajax code structures and Web services output, including SSL sessions. Literally nothing can sneak past Finjan's deep scanning tool. The software can even block trojan code from infected end-user PCs so that any traffic from intranets is also filtered.
Because the Vital Security Appliance works by checking behavior rather than signatures, it can make its own decision once they are placed into customer intranets. The appliances don't have to request for feedback from Finjan's corporate labs once they find new flaws.
APACHE XAP
To secure the next generation of Ajax-based apps, today's Ajax frameworks must find a way to abstract known vulnerabilities away from hand-coded, client-side scripting. Apache's new XAP framework can do just that. Unlike most Ajax libraries, XAP generates secured Ajax apps by managing data access and presentation code in XML.
XAP was originally developed by Nexaweb. In addition to XAP, Nexaweb offers a server-based platform that can distribute content to Ajax- and Java-based clients from SOA-based systems and database systems. At this stage, most Nexaweb customers primarily use Java-based clients for mission-critical applications. Because of Java's mature Swing API, developers can create richer client experiences with Java clients.
Still, XAP's unique architecture provides key advantages, allowing developers to use XML to express client-side code and data interaction without having to write any client-side scriptingreducing the chance of creating exploitable flaws.
XAP comes with three main components: a user interface, a data binding layer and a plug-in architecture. The interface component can generate rich UIs from XML descriptions. Developers only have to describe in XML what the UIs must look like, and XAP automatically generates HTML and JavaScript under the hood. Developers don't have to deal with DOM APIs or even CSS to generate graphics. Nexaweb offers a visual plug-in for Eclipse, allowing developers to build UIs by dragging and dropping graphical elements.
XAP's Ajax security model lies in its data binding component. Through the data binding layer, developers can describe how to connect to data sources. The XAP engine can connect to any server-side data source or Web services. Developers also can use the data binding component to bind data into a UI. No coding is necessary to perform both tasks.
With the XAP engine, developers can generate different types of data binding, depending on the description required for each UI element. For instance, XAP allows for onetime, one-way and two-way data bindings. Because validation is handled by XAP's JavaScript APIs, developers don't have to be concerned with writing data validation routines.
XAP's plug-in architecture can incorporate Ajax tool kits from third-party projects so that developers can gain from a wider set of features and functions. The plug-in architecture uses a bridging mechanism that maps any Ajax framework or tool kit into XML descriptions that the XAP engine can read.
On initial install, XAP provides a plug-in for the open-source Dojo tool kit. XAP uses Dojo for graphical rendering and UI component development. The Dojo group is currently developing vector-based graphics to improve its rich UI rendering.