[WEB SECURITY] "AJAX breathes new life into Web apps"

Jeremiah Grossman jeremiah at whitehatsec.com
Tue May 24 20:36:28 EDT 2005 

True enough, as always the mantra remains don't trust user input.  
However, what I was trying to describe was...

When normal post data arrives its simple to parse, simple to sanity 
check:

foo=1&bar=2&text=testing


After that we're seeing XML arrive in post data. Arguably a bit more 
complicated to parse, as well as sanity check (Likely less developers 
are properly sanity checking XML):

<data>
	<foo id="1">testing1</foo>
	<foo id="2">testing2</foo>
	<foo id="3">testin3</foo>
</data>


Now some new Ajax applications are sending serialized JS objects 
across. The exact reason I don't know (maybe it's eval'ed server-side), 
but its much more difficult to parse and sanity check:

new.obj = {
	entry: [
		{
			id: '1',
			text: 'testing1'
		},
		{
			id: '2',
			text: 'testing2'
		},
		{
			id: '3',
			text: 'testing3'
		},
	],
}

Thats why I was saying that performing sanity checking in the Ajax 
space is likely to become increasingly complication. I'm not arguing 
that is should, only that is will.


Jeremiah-

On Tuesday, May 24, 2005, at 05:23  PM, Ian Holsman wrote:

> It's the same problem as normal POST applications... nothing's really
> changed with/without ajax.
>
> you shouldn't trust any data coming in from the client.. at the end of
> the day it will be vunerable to the same kind of attacks as typical
> server-side CGIs are.
>
> hopefully people have learned a bit and coded securely, but I doubt it.
>
>
> --Ian
>
> On 5/25/05, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
>>
>> On Tuesday, May 24, 2005, at 01:13  PM, Garth Somerville wrote:
>>
>>> Nathan Tobik wrote:
>>>
>>>> I've read a bit about AJAX and it's a pretty cool technology.  What
>>>> I'm
>>>> wondering is what are the security implications of using this within
>>>> web
>>>> apps?
>>>>
>>> One issue could be that it may not occur to developers that
>>> asynchronous requests made using xmlHttpRequest need to be validated
>>> on the server.
>>
>> I also expect this type of server-side-validation to become
>> significantly more complex in the Ajax world. At the moment, we're 
>> used
>> to dealing with the standard URL encoded query string format going 
>> back
>> and forth across the wire. To some extent, XML as well.
>>
>> However, after ripping apart some of the new Ajax applications, I've
>> been witnessing very strange data structures being passed. For 
>> example,
>> serialized DOM objects where is looks like big complicated JS array.
>> Who knows how this data being handled on the server. I'm sure others
>> have seen the same.
>>
>> Jeremiah-
>>


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

More information about the websecurity mailing list