Ajax Security

12 Dec 2006

Recently, Jeremiah posted an article about Ajax security. He's a good writer and manages to clarify some misconceptions, but I disagree with one of his points about XSS. (I'll get to that in a minute.) His discussion on XSS begins with a question and (safe) answer:

Does Ajax make Cross-Site Scripting (XSS) attacks worse? I hope not.

He goes on to explain all of the exploits that are possible with plain JavaScript before touching on an important point about the social impact of Ajax:

Ajax has fired up interest in JavaScript. Research in JavaScript has led to new malware discoveries whose potential severity is amplified by ubiquitous XSS vulnerabilities.

A year ago, Keith Casey asked me a probing question about Ajax in an interview for CodeSnipers.com:

How does Ajax change security? Are developers prepared for it?

At that time, I hadn't given much thought to any of this, but I managed to give an answer that's still relevant today:

Within the next few years, we're certain to see more advanced cross-site scripting (XSS) attacks emerge, because client-side technologies are getting more and more sophisticated. The popularity of Ajax will also generate an increased number of attackers who possess a rich understanding of client-side technologies. In other words, Ajax won't make cross-site scripting (XSS) vulnerabilities more likely, but it will make them more dangerous.

Yes, Ajax makes XSS attacks worse. It's too late for "I hope not." :-)

Jeremiah does make a concession:

To be fair, the Samy Worm that hit MySpace and JS-Yamaner on Yahoo exploited XHR for propagation.

He qualifies this statement, however, with something that's not true:

The attack could have just as easily been perpetrated using plain JavaScript. Ajax is irrelevant in this scenario.

The reason this isn't true is buried within Samy's technical explanation:

Finally we can do a POST! However, when we send the post it never actually adds a friend. Why not? Myspace generates a random hash on a pre-POST page (for example, the "Are you sure you want to add this user as a friend" page). If this hash is not passed along with the POST, the POST is not successful. To get around this, we mimic a browser and send a GET to the page right before adding the user, parse the source for the hash, then perform the POST while passing the hash.

If this is possible without Ajax, we're all in big trouble. Via private email, Jeremiah clarified his point:

I was trying to say that just because the Samy worm used Ajax technology, it doesn't mean that if a web site (MySpace) uses it then it's at additional risk.

That's certainly true, and it underscores a very valid point being made in the article. However, I want to make sure people don't miss the fact that, regardless of whether you use Ajax, it can be used against you.