[WEB SECURITY] "AJAX breathes new life into Web apps"

Ian Holsman kryton at gmail.com
Tue May 24 20:55:28 EDT 2005


On 5/25/05, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
> True enough, as always the mantra remains don't trust user input.
> However, what I was trying to describe was...
> 
> When normal post data arrives its simple to parse, simple to sanity
> check:
> 
> foo=1&bar=2&text=testing
> 
> 
> After that we're seeing XML arrive in post data. Arguably a bit more
> complicated to parse, as well as sanity check (Likely less developers
> are properly sanity checking XML):
> 
> <data>
>         <foo id="1">testing1</foo>
>         <foo id="2">testing2</foo>
>         <foo id="3">testin3</foo>
> </data>
> 
this is the same kind of thing as a SOAP/XML-RPC request IMHO.. 
it really depends on what application they are using.. most would
sanity check the XML for 'free'
and the it wouldn't even get near the application code. it still
leaves the problem of SQL injection and stuff like that though..

> 
> Now some new Ajax applications are sending serialized JS objects
> across. The exact reason I don't know (maybe it's eval'ed server-side),
> but its much more difficult to parse and sanity check:

they are probably stuck in 'everything is a java object' world.
they would have a piece of code which would de-serialize it, but yuk..
what a hopeless communication protocol..
if this is going server-> client, the reason is that you can just do a 
eval( response.text );

and then the stuff is dynamically run on the client side. kind of like
self-modifying code.

> 
> new.obj = {
>         entry: [
>                 {
>                         id: '1',
>                         text: 'testing1'
>                 },
>                 {
>                         id: '2',
>                         text: 'testing2'
>                 },
>                 {
>                         id: '3',
>                         text: 'testing3'
>                 },
>         ],
> }
> 
> Thats why I was saying that performing sanity checking in the Ajax
> space is likely to become increasingly complication. I'm not arguing
> that is should, only that is will.
> 
> 
> Jeremiah-
> 
> On Tuesday, May 24, 2005, at 05:23  PM, Ian Holsman wrote:
> 
> > It's the same problem as normal POST applications... nothing's really
> > changed with/without ajax.
> >
> > you shouldn't trust any data coming in from the client.. at the end of
> > the day it will be vunerable to the same kind of attacks as typical
> > server-side CGIs are.
> >
> > hopefully people have learned a bit and coded securely, but I doubt it.
> >
> >
> > --Ian
> >
> > On 5/25/05, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
> >>
> >> On Tuesday, May 24, 2005, at 01:13  PM, Garth Somerville wrote:
> >>
> >>> Nathan Tobik wrote:
> >>>
> >>>> I've read a bit about AJAX and it's a pretty cool technology.  What
> >>>> I'm
> >>>> wondering is what are the security implications of using this within
> >>>> web
> >>>> apps?
> >>>>
> >>> One issue could be that it may not occur to developers that
> >>> asynchronous requests made using xmlHttpRequest need to be validated
> >>> on the server.
> >>
> >> I also expect this type of server-side-validation to become
> >> significantly more complex in the Ajax world. At the moment, we're
> >> used
> >> to dealing with the standard URL encoded query string format going
> >> back
> >> and forth across the wire. To some extent, XML as well.
> >>
> >> However, after ripping apart some of the new Ajax applications, I've
> >> been witnessing very strange data structures being passed. For
> >> example,
> >> serialized DOM objects where is looks like big complicated JS array.
> >> Who knows how this data being handled on the server. I'm sure others
> >> have seen the same.
> >>
> >> Jeremiah-
> >>
> 
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
> 


-- 
Ian at Holsman.net -- 03-9877-0909
If everything seems under control, you're not going fast enough. -
Mario Andretti

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list